1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * xfrm_state.c 4 * 5 * Changes: 6 * Mitsuru KANDA @USAGI 7 * Kazunori MIYAZAWA @USAGI 8 * Kunihiro Ishiguro <kunihiro@ipinfusion.com> 9 * IPv6 support 10 * YOSHIFUJI Hideaki @USAGI 11 * Split up af-specific functions 12 * Derek Atkins <derek@ihtfp.com> 13 * Add UDP Encapsulation 14 * 15 */ 16 17#include <linux/workqueue.h> 18#include <net/xfrm.h> 19#include <linux/pfkeyv2.h> 20#include <linux/ipsec.h> 21#include <linux/module.h> 22#include <linux/cache.h> 23#include <linux/audit.h> 24#include <linux/uaccess.h> 25#include <linux/ktime.h> 26#include <linux/slab.h> 27#include <linux/interrupt.h> 28#include <linux/kernel.h> 29 30#include <crypto/aead.h> 31 32#include "xfrm_hash.h" 33 34#define xfrm_state_deref_prot(table, net) \ 35 rcu_dereference_protected((table), lockdep_is_held(&(net)->xfrm.xfrm_state_lock)) 36 37static void xfrm_state_gc_task(struct work_struct *work); 38 39/* Each xfrm_state may be linked to two tables: 40 41 1. Hash table by (spi,daddr,ah/esp) to find SA by SPI. (input,ctl) 42 2. Hash table by (daddr,family,reqid) to find what SAs exist for given 43 destination/tunnel endpoint. (output) 44 */ 45 46static unsigned int xfrm_state_hashmax __read_mostly = 1 * 1024 * 1024; 47static struct kmem_cache *xfrm_state_cache __ro_after_init; 48 49static DECLARE_WORK(xfrm_state_gc_work, xfrm_state_gc_task); 50static HLIST_HEAD(xfrm_state_gc_list); 51 52static inline bool xfrm_state_hold_rcu(struct xfrm_state __rcu *x) 53{ 54 return refcount_inc_not_zero(&x->refcnt); 55} 56 57static inline unsigned int xfrm_dst_hash(struct net *net, 58 const xfrm_address_t *daddr, 59 const xfrm_address_t *saddr, 60 u32 reqid, 61 unsigned short family) 62{ 63 return __xfrm_dst_hash(daddr, saddr, reqid, family, net->xfrm.state_hmask); 64} 65 66static inline unsigned int xfrm_src_hash(struct net *net, 67 const xfrm_address_t *daddr, 68 const xfrm_address_t *saddr, 69 unsigned short family) 70{ 71 return __xfrm_src_hash(daddr, saddr, family, net->xfrm.state_hmask); 72} 73 74static inline unsigned int 75xfrm_spi_hash(struct net *net, const xfrm_address_t *daddr, 76 __be32 spi, u8 proto, unsigned short family) 77{ 78 return __xfrm_spi_hash(daddr, spi, proto, family, net->xfrm.state_hmask); 79} 80 81static void xfrm_hash_transfer(struct hlist_head *list, 82 struct hlist_head *ndsttable, 83 struct hlist_head *nsrctable, 84 struct hlist_head *nspitable, 85 unsigned int nhashmask) 86{ 87 struct hlist_node *tmp; 88 struct xfrm_state *x; 89 90 hlist_for_each_entry_safe(x, tmp, list, bydst) { 91 unsigned int h; 92 93 h = __xfrm_dst_hash(&x->id.daddr, &x->props.saddr, 94 x->props.reqid, x->props.family, 95 nhashmask); 96 hlist_add_head_rcu(&x->bydst, ndsttable + h); 97 98 h = __xfrm_src_hash(&x->id.daddr, &x->props.saddr, 99 x->props.family, 100 nhashmask); 101 hlist_add_head_rcu(&x->bysrc, nsrctable + h); 102 103 if (x->id.spi) { 104 h = __xfrm_spi_hash(&x->id.daddr, x->id.spi, 105 x->id.proto, x->props.family, 106 nhashmask); 107 hlist_add_head_rcu(&x->byspi, nspitable + h); 108 } 109 } 110} 111 112static unsigned long xfrm_hash_new_size(unsigned int state_hmask) 113{ 114 return ((state_hmask + 1) << 1) * sizeof(struct hlist_head); 115} 116 117static void xfrm_hash_resize(struct work_struct *work) 118{ 119 struct net *net = container_of(work, struct net, xfrm.state_hash_work); 120 struct hlist_head *ndst, *nsrc, *nspi, *odst, *osrc, *ospi; 121 unsigned long nsize, osize; 122 unsigned int nhashmask, ohashmask; 123 int i; 124 125 nsize = xfrm_hash_new_size(net->xfrm.state_hmask); 126 ndst = xfrm_hash_alloc(nsize); 127 if (!ndst) 128 return; 129 nsrc = xfrm_hash_alloc(nsize); 130 if (!nsrc) { 131 xfrm_hash_free(ndst, nsize); 132 return; 133 } 134 nspi = xfrm_hash_alloc(nsize); 135 if (!nspi) { 136 xfrm_hash_free(ndst, nsize); 137 xfrm_hash_free(nsrc, nsize); 138 return; 139 } 140 141 spin_lock_bh(&net->xfrm.xfrm_state_lock); 142 write_seqcount_begin(&net->xfrm.xfrm_state_hash_generation); 143 144 nhashmask = (nsize / sizeof(struct hlist_head)) - 1U; 145 odst = xfrm_state_deref_prot(net->xfrm.state_bydst, net); 146 for (i = net->xfrm.state_hmask; i >= 0; i--) 147 xfrm_hash_transfer(odst + i, ndst, nsrc, nspi, nhashmask); 148 149 osrc = xfrm_state_deref_prot(net->xfrm.state_bysrc, net); 150 ospi = xfrm_state_deref_prot(net->xfrm.state_byspi, net); 151 ohashmask = net->xfrm.state_hmask; 152 153 rcu_assign_pointer(net->xfrm.state_bydst, ndst); 154 rcu_assign_pointer(net->xfrm.state_bysrc, nsrc); 155 rcu_assign_pointer(net->xfrm.state_byspi, nspi); 156 net->xfrm.state_hmask = nhashmask; 157 158 write_seqcount_end(&net->xfrm.xfrm_state_hash_generation); 159 spin_unlock_bh(&net->xfrm.xfrm_state_lock); 160 161 osize = (ohashmask + 1) * sizeof(struct hlist_head); 162 163 synchronize_rcu(); 164 165 xfrm_hash_free(odst, osize); 166 xfrm_hash_free(osrc, osize); 167 xfrm_hash_free(ospi, osize); 168} 169 170static DEFINE_SPINLOCK(xfrm_state_afinfo_lock); 171static struct xfrm_state_afinfo __rcu *xfrm_state_afinfo[NPROTO]; 172 173static DEFINE_SPINLOCK(xfrm_state_gc_lock); 174 175int __xfrm_state_delete(struct xfrm_state *x); 176 177int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol); 178static bool km_is_alive(const struct km_event *c); 179void km_state_expired(struct xfrm_state *x, int hard, u32 portid); 180 181int xfrm_register_type(const struct xfrm_type *type, unsigned short family) 182{ 183 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family); 184 int err = 0; 185 186 if (!afinfo) 187 return -EAFNOSUPPORT; 188 189#define X(afi, T, name) do { \ 190 WARN_ON((afi)->type_ ## name); \ 191 (afi)->type_ ## name = (T); \ 192 } while (0) 193 194 switch (type->proto) { 195 case IPPROTO_COMP: 196 X(afinfo, type, comp); 197 break; 198 case IPPROTO_AH: 199 X(afinfo, type, ah); 200 break; 201 case IPPROTO_ESP: 202 X(afinfo, type, esp); 203 break; 204 case IPPROTO_IPIP: 205 X(afinfo, type, ipip); 206 break; 207 case IPPROTO_DSTOPTS: 208 X(afinfo, type, dstopts); 209 break; 210 case IPPROTO_ROUTING: 211 X(afinfo, type, routing); 212 break; 213 case IPPROTO_IPV6: 214 X(afinfo, type, ipip6); 215 break; 216 default: 217 WARN_ON(1); 218 err = -EPROTONOSUPPORT; 219 break; 220 } 221#undef X 222 rcu_read_unlock(); 223 return err; 224} 225EXPORT_SYMBOL(xfrm_register_type); 226 227void xfrm_unregister_type(const struct xfrm_type *type, unsigned short family) 228{ 229 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family); 230 231 if (unlikely(afinfo == NULL)) 232 return; 233 234#define X(afi, T, name) do { \ 235 WARN_ON((afi)->type_ ## name != (T)); \ 236 (afi)->type_ ## name = NULL; \ 237 } while (0) 238 239 switch (type->proto) { 240 case IPPROTO_COMP: 241 X(afinfo, type, comp); 242 break; 243 case IPPROTO_AH: 244 X(afinfo, type, ah); 245 break; 246 case IPPROTO_ESP: 247 X(afinfo, type, esp); 248 break; 249 case IPPROTO_IPIP: 250 X(afinfo, type, ipip); 251 break; 252 case IPPROTO_DSTOPTS: 253 X(afinfo, type, dstopts); 254 break; 255 case IPPROTO_ROUTING: 256 X(afinfo, type, routing); 257 break; 258 case IPPROTO_IPV6: 259 X(afinfo, type, ipip6); 260 break; 261 default: 262 WARN_ON(1); 263 break; 264 } 265#undef X 266 rcu_read_unlock(); 267} 268EXPORT_SYMBOL(xfrm_unregister_type); 269 270static const struct xfrm_type *xfrm_get_type(u8 proto, unsigned short family) 271{ 272 const struct xfrm_type *type = NULL; 273 struct xfrm_state_afinfo *afinfo; 274 int modload_attempted = 0; 275 276retry: 277 afinfo = xfrm_state_get_afinfo(family); 278 if (unlikely(afinfo == NULL)) 279 return NULL; 280 281 switch (proto) { 282 case IPPROTO_COMP: 283 type = afinfo->type_comp; 284 break; 285 case IPPROTO_AH: 286 type = afinfo->type_ah; 287 break; 288 case IPPROTO_ESP: 289 type = afinfo->type_esp; 290 break; 291 case IPPROTO_IPIP: 292 type = afinfo->type_ipip; 293 break; 294 case IPPROTO_DSTOPTS: 295 type = afinfo->type_dstopts; 296 break; 297 case IPPROTO_ROUTING: 298 type = afinfo->type_routing; 299 break; 300 case IPPROTO_IPV6: 301 type = afinfo->type_ipip6; 302 break; 303 default: 304 break; 305 } 306 307 if (unlikely(type && !try_module_get(type->owner))) 308 type = NULL; 309 310 rcu_read_unlock(); 311 312 if (!type && !modload_attempted) { 313 request_module("xfrm-type-%d-%d", family, proto); 314 modload_attempted = 1; 315 goto retry; 316 } 317 318 return type; 319} 320 321static void xfrm_put_type(const struct xfrm_type *type) 322{ 323 module_put(type->owner); 324} 325 326int xfrm_register_type_offload(const struct xfrm_type_offload *type, 327 unsigned short family) 328{ 329 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family); 330 int err = 0; 331 332 if (unlikely(afinfo == NULL)) 333 return -EAFNOSUPPORT; 334 335 switch (type->proto) { 336 case IPPROTO_ESP: 337 WARN_ON(afinfo->type_offload_esp); 338 afinfo->type_offload_esp = type; 339 break; 340 default: 341 WARN_ON(1); 342 err = -EPROTONOSUPPORT; 343 break; 344 } 345 346 rcu_read_unlock(); 347 return err; 348} 349EXPORT_SYMBOL(xfrm_register_type_offload); 350 351void xfrm_unregister_type_offload(const struct xfrm_type_offload *type, 352 unsigned short family) 353{ 354 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family); 355 356 if (unlikely(afinfo == NULL)) 357 return; 358 359 switch (type->proto) { 360 case IPPROTO_ESP: 361 WARN_ON(afinfo->type_offload_esp != type); 362 afinfo->type_offload_esp = NULL; 363 break; 364 default: 365 WARN_ON(1); 366 break; 367 } 368 rcu_read_unlock(); 369} 370EXPORT_SYMBOL(xfrm_unregister_type_offload); 371 372static const struct xfrm_type_offload * 373xfrm_get_type_offload(u8 proto, unsigned short family, bool try_load) 374{ 375 const struct xfrm_type_offload *type = NULL; 376 struct xfrm_state_afinfo *afinfo; 377 378retry: 379 afinfo = xfrm_state_get_afinfo(family); 380 if (unlikely(afinfo == NULL)) 381 return NULL; 382 383 switch (proto) { 384 case IPPROTO_ESP: 385 type = afinfo->type_offload_esp; 386 break; 387 default: 388 break; 389 } 390 391 if ((type && !try_module_get(type->owner))) 392 type = NULL; 393 394 rcu_read_unlock(); 395 396 if (!type && try_load) { 397 request_module("xfrm-offload-%d-%d", family, proto); 398 try_load = false; 399 goto retry; 400 } 401 402 return type; 403} 404 405static void xfrm_put_type_offload(const struct xfrm_type_offload *type) 406{ 407 module_put(type->owner); 408} 409 410static const struct xfrm_mode xfrm4_mode_map[XFRM_MODE_MAX] = { 411 [XFRM_MODE_BEET] = { 412 .encap = XFRM_MODE_BEET, 413 .flags = XFRM_MODE_FLAG_TUNNEL, 414 .family = AF_INET, 415 }, 416 [XFRM_MODE_TRANSPORT] = { 417 .encap = XFRM_MODE_TRANSPORT, 418 .family = AF_INET, 419 }, 420 [XFRM_MODE_TUNNEL] = { 421 .encap = XFRM_MODE_TUNNEL, 422 .flags = XFRM_MODE_FLAG_TUNNEL, 423 .family = AF_INET, 424 }, 425}; 426 427static const struct xfrm_mode xfrm6_mode_map[XFRM_MODE_MAX] = { 428 [XFRM_MODE_BEET] = { 429 .encap = XFRM_MODE_BEET, 430 .flags = XFRM_MODE_FLAG_TUNNEL, 431 .family = AF_INET6, 432 }, 433 [XFRM_MODE_ROUTEOPTIMIZATION] = { 434 .encap = XFRM_MODE_ROUTEOPTIMIZATION, 435 .family = AF_INET6, 436 }, 437 [XFRM_MODE_TRANSPORT] = { 438 .encap = XFRM_MODE_TRANSPORT, 439 .family = AF_INET6, 440 }, 441 [XFRM_MODE_TUNNEL] = { 442 .encap = XFRM_MODE_TUNNEL, 443 .flags = XFRM_MODE_FLAG_TUNNEL, 444 .family = AF_INET6, 445 }, 446}; 447 448static const struct xfrm_mode *xfrm_get_mode(unsigned int encap, int family) 449{ 450 const struct xfrm_mode *mode; 451 452 if (unlikely(encap >= XFRM_MODE_MAX)) 453 return NULL; 454 455 switch (family) { 456 case AF_INET: 457 mode = &xfrm4_mode_map[encap]; 458 if (mode->family == family) 459 return mode; 460 break; 461 case AF_INET6: 462 mode = &xfrm6_mode_map[encap]; 463 if (mode->family == family) 464 return mode; 465 break; 466 default: 467 break; 468 } 469 470 return NULL; 471} 472 473void xfrm_state_free(struct xfrm_state *x) 474{ 475 kmem_cache_free(xfrm_state_cache, x); 476} 477EXPORT_SYMBOL(xfrm_state_free); 478 479static void ___xfrm_state_destroy(struct xfrm_state *x) 480{ 481 hrtimer_cancel(&x->mtimer); 482 del_timer_sync(&x->rtimer); 483 kfree(x->aead); 484 kfree(x->aalg); 485 kfree(x->ealg); 486 kfree(x->calg); 487 kfree(x->encap); 488 kfree(x->coaddr); 489 kfree(x->replay_esn); 490 kfree(x->preplay_esn); 491 if (x->type_offload) 492 xfrm_put_type_offload(x->type_offload); 493 if (x->type) { 494 x->type->destructor(x); 495 xfrm_put_type(x->type); 496 } 497 if (x->xfrag.page) 498 put_page(x->xfrag.page); 499 xfrm_dev_state_free(x); 500 security_xfrm_state_free(x); 501 xfrm_state_free(x); 502} 503 504static void xfrm_state_gc_task(struct work_struct *work) 505{ 506 struct xfrm_state *x; 507 struct hlist_node *tmp; 508 struct hlist_head gc_list; 509 510 spin_lock_bh(&xfrm_state_gc_lock); 511 hlist_move_list(&xfrm_state_gc_list, &gc_list); 512 spin_unlock_bh(&xfrm_state_gc_lock); 513 514 synchronize_rcu(); 515 516 hlist_for_each_entry_safe(x, tmp, &gc_list, gclist) 517 ___xfrm_state_destroy(x); 518} 519 520static enum hrtimer_restart xfrm_timer_handler(struct hrtimer *me) 521{ 522 struct xfrm_state *x = container_of(me, struct xfrm_state, mtimer); 523 enum hrtimer_restart ret = HRTIMER_NORESTART; 524 time64_t now = ktime_get_real_seconds(); 525 time64_t next = TIME64_MAX; 526 int warn = 0; 527 int err = 0; 528 529 spin_lock(&x->lock); 530 if (x->km.state == XFRM_STATE_DEAD) 531 goto out; 532 if (x->km.state == XFRM_STATE_EXPIRED) 533 goto expired; 534 if (x->lft.hard_add_expires_seconds) { 535 long tmo = x->lft.hard_add_expires_seconds + 536 x->curlft.add_time - now; 537 if (tmo <= 0) { 538 if (x->xflags & XFRM_SOFT_EXPIRE) { 539 /* enter hard expire without soft expire first?! 540 * setting a new date could trigger this. 541 * workaround: fix x->curflt.add_time by below: 542 */ 543 x->curlft.add_time = now - x->saved_tmo - 1; 544 tmo = x->lft.hard_add_expires_seconds - x->saved_tmo; 545 } else 546 goto expired; 547 } 548 if (tmo < next) 549 next = tmo; 550 } 551 if (x->lft.hard_use_expires_seconds) { 552 long tmo = x->lft.hard_use_expires_seconds + 553 (x->curlft.use_time ? : now) - now; 554 if (tmo <= 0) 555 goto expired; 556 if (tmo < next) 557 next = tmo; 558 } 559 if (x->km.dying) 560 goto resched; 561 if (x->lft.soft_add_expires_seconds) { 562 long tmo = x->lft.soft_add_expires_seconds + 563 x->curlft.add_time - now; 564 if (tmo <= 0) { 565 warn = 1; 566 x->xflags &= ~XFRM_SOFT_EXPIRE; 567 } else if (tmo < next) { 568 next = tmo; 569 x->xflags |= XFRM_SOFT_EXPIRE; 570 x->saved_tmo = tmo; 571 } 572 } 573 if (x->lft.soft_use_expires_seconds) { 574 long tmo = x->lft.soft_use_expires_seconds + 575 (x->curlft.use_time ? : now) - now; 576 if (tmo <= 0) 577 warn = 1; 578 else if (tmo < next) 579 next = tmo; 580 } 581 582 x->km.dying = warn; 583 if (warn) 584 km_state_expired(x, 0, 0); 585resched: 586 if (next != TIME64_MAX) { 587 hrtimer_forward_now(&x->mtimer, ktime_set(next, 0)); 588 ret = HRTIMER_RESTART; 589 } 590 591 goto out; 592 593expired: 594 if (x->km.state == XFRM_STATE_ACQ && x->id.spi == 0) 595 x->km.state = XFRM_STATE_EXPIRED; 596 597 err = __xfrm_state_delete(x); 598 if (!err) 599 km_state_expired(x, 1, 0); 600 601 xfrm_audit_state_delete(x, err ? 0 : 1, true); 602 603out: 604 spin_unlock(&x->lock); 605 return ret; 606} 607 608static void xfrm_replay_timer_handler(struct timer_list *t); 609 610struct xfrm_state *xfrm_state_alloc(struct net *net) 611{ 612 struct xfrm_state *x; 613 614 x = kmem_cache_zalloc(xfrm_state_cache, GFP_ATOMIC); 615 616 if (x) { 617 write_pnet(&x->xs_net, net); 618 refcount_set(&x->refcnt, 1); 619 atomic_set(&x->tunnel_users, 0); 620 INIT_LIST_HEAD(&x->km.all); 621 INIT_HLIST_NODE(&x->bydst); 622 INIT_HLIST_NODE(&x->bysrc); 623 INIT_HLIST_NODE(&x->byspi); 624 hrtimer_init(&x->mtimer, CLOCK_BOOTTIME, HRTIMER_MODE_ABS_SOFT); 625 x->mtimer.function = xfrm_timer_handler; 626 timer_setup(&x->rtimer, xfrm_replay_timer_handler, 0); 627 x->curlft.add_time = ktime_get_real_seconds(); 628 x->lft.soft_byte_limit = XFRM_INF; 629 x->lft.soft_packet_limit = XFRM_INF; 630 x->lft.hard_byte_limit = XFRM_INF; 631 x->lft.hard_packet_limit = XFRM_INF; 632 x->replay_maxage = 0; 633 x->replay_maxdiff = 0; 634 spin_lock_init(&x->lock); 635 } 636 return x; 637} 638EXPORT_SYMBOL(xfrm_state_alloc); 639 640void __xfrm_state_destroy(struct xfrm_state *x, bool sync) 641{ 642 WARN_ON(x->km.state != XFRM_STATE_DEAD); 643 644 if (sync) { 645 synchronize_rcu(); 646 ___xfrm_state_destroy(x); 647 } else { 648 spin_lock_bh(&xfrm_state_gc_lock); 649 hlist_add_head(&x->gclist, &xfrm_state_gc_list); 650 spin_unlock_bh(&xfrm_state_gc_lock); 651 schedule_work(&xfrm_state_gc_work); 652 } 653} 654EXPORT_SYMBOL(__xfrm_state_destroy); 655 656int __xfrm_state_delete(struct xfrm_state *x) 657{ 658 struct net *net = xs_net(x); 659 int err = -ESRCH; 660 661 if (x->km.state != XFRM_STATE_DEAD) { 662 x->km.state = XFRM_STATE_DEAD; 663 spin_lock(&net->xfrm.xfrm_state_lock); 664 list_del(&x->km.all); 665 hlist_del_rcu(&x->bydst); 666 hlist_del_rcu(&x->bysrc); 667 if (x->id.spi) 668 hlist_del_rcu(&x->byspi); 669 net->xfrm.state_num--; 670 spin_unlock(&net->xfrm.xfrm_state_lock); 671 672 if (x->encap_sk) 673 sock_put(rcu_dereference_raw(x->encap_sk)); 674 675 xfrm_dev_state_delete(x); 676 677 /* All xfrm_state objects are created by xfrm_state_alloc. 678 * The xfrm_state_alloc call gives a reference, and that 679 * is what we are dropping here. 680 */ 681 xfrm_state_put(x); 682 err = 0; 683 } 684 685 return err; 686} 687EXPORT_SYMBOL(__xfrm_state_delete); 688 689int xfrm_state_delete(struct xfrm_state *x) 690{ 691 int err; 692 693 spin_lock_bh(&x->lock); 694 err = __xfrm_state_delete(x); 695 spin_unlock_bh(&x->lock); 696 697 return err; 698} 699EXPORT_SYMBOL(xfrm_state_delete); 700 701#ifdef CONFIG_SECURITY_NETWORK_XFRM 702static inline int 703xfrm_state_flush_secctx_check(struct net *net, u8 proto, bool task_valid) 704{ 705 int i, err = 0; 706 707 for (i = 0; i <= net->xfrm.state_hmask; i++) { 708 struct xfrm_state *x; 709 710 hlist_for_each_entry(x, net->xfrm.state_bydst+i, bydst) { 711 if (xfrm_id_proto_match(x->id.proto, proto) && 712 (err = security_xfrm_state_delete(x)) != 0) { 713 xfrm_audit_state_delete(x, 0, task_valid); 714 return err; 715 } 716 } 717 } 718 719 return err; 720} 721 722static inline int 723xfrm_dev_state_flush_secctx_check(struct net *net, struct net_device *dev, bool task_valid) 724{ 725 int i, err = 0; 726 727 for (i = 0; i <= net->xfrm.state_hmask; i++) { 728 struct xfrm_state *x; 729 struct xfrm_state_offload *xso; 730 731 hlist_for_each_entry(x, net->xfrm.state_bydst+i, bydst) { 732 xso = &x->xso; 733 734 if (xso->dev == dev && 735 (err = security_xfrm_state_delete(x)) != 0) { 736 xfrm_audit_state_delete(x, 0, task_valid); 737 return err; 738 } 739 } 740 } 741 742 return err; 743} 744#else 745static inline int 746xfrm_state_flush_secctx_check(struct net *net, u8 proto, bool task_valid) 747{ 748 return 0; 749} 750 751static inline int 752xfrm_dev_state_flush_secctx_check(struct net *net, struct net_device *dev, bool task_valid) 753{ 754 return 0; 755} 756#endif 757 758int xfrm_state_flush(struct net *net, u8 proto, bool task_valid, bool sync) 759{ 760 int i, err = 0, cnt = 0; 761 762 spin_lock_bh(&net->xfrm.xfrm_state_lock); 763 err = xfrm_state_flush_secctx_check(net, proto, task_valid); 764 if (err) 765 goto out; 766 767 err = -ESRCH; 768 for (i = 0; i <= net->xfrm.state_hmask; i++) { 769 struct xfrm_state *x; 770restart: 771 hlist_for_each_entry(x, net->xfrm.state_bydst+i, bydst) { 772 if (!xfrm_state_kern(x) && 773 xfrm_id_proto_match(x->id.proto, proto)) { 774 xfrm_state_hold(x); 775 spin_unlock_bh(&net->xfrm.xfrm_state_lock); 776 777 err = xfrm_state_delete(x); 778 xfrm_audit_state_delete(x, err ? 0 : 1, 779 task_valid); 780 if (sync) 781 xfrm_state_put_sync(x); 782 else 783 xfrm_state_put(x); 784 if (!err) 785 cnt++; 786 787 spin_lock_bh(&net->xfrm.xfrm_state_lock); 788 goto restart; 789 } 790 } 791 } 792out: 793 spin_unlock_bh(&net->xfrm.xfrm_state_lock); 794 if (cnt) 795 err = 0; 796 797 return err; 798} 799EXPORT_SYMBOL(xfrm_state_flush); 800 801int xfrm_dev_state_flush(struct net *net, struct net_device *dev, bool task_valid) 802{ 803 int i, err = 0, cnt = 0; 804 805 spin_lock_bh(&net->xfrm.xfrm_state_lock); 806 err = xfrm_dev_state_flush_secctx_check(net, dev, task_valid); 807 if (err) 808 goto out; 809 810 err = -ESRCH; 811 for (i = 0; i <= net->xfrm.state_hmask; i++) { 812 struct xfrm_state *x; 813 struct xfrm_state_offload *xso; 814restart: 815 hlist_for_each_entry(x, net->xfrm.state_bydst+i, bydst) { 816 xso = &x->xso; 817 818 if (!xfrm_state_kern(x) && xso->dev == dev) { 819 xfrm_state_hold(x); 820 spin_unlock_bh(&net->xfrm.xfrm_state_lock); 821 822 err = xfrm_state_delete(x); 823 xfrm_audit_state_delete(x, err ? 0 : 1, 824 task_valid); 825 xfrm_state_put(x); 826 if (!err) 827 cnt++; 828 829 spin_lock_bh(&net->xfrm.xfrm_state_lock); 830 goto restart; 831 } 832 } 833 } 834 if (cnt) 835 err = 0; 836 837out: 838 spin_unlock_bh(&net->xfrm.xfrm_state_lock); 839 return err; 840} 841EXPORT_SYMBOL(xfrm_dev_state_flush); 842 843void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si) 844{ 845 spin_lock_bh(&net->xfrm.xfrm_state_lock); 846 si->sadcnt = net->xfrm.state_num; 847 si->sadhcnt = net->xfrm.state_hmask + 1; 848 si->sadhmcnt = xfrm_state_hashmax; 849 spin_unlock_bh(&net->xfrm.xfrm_state_lock); 850} 851EXPORT_SYMBOL(xfrm_sad_getinfo); 852 853static void 854__xfrm4_init_tempsel(struct xfrm_selector *sel, const struct flowi *fl) 855{ 856 const struct flowi4 *fl4 = &fl->u.ip4; 857 858 sel->daddr.a4 = fl4->daddr; 859 sel->saddr.a4 = fl4->saddr; 860 sel->dport = xfrm_flowi_dport(fl, &fl4->uli); 861 sel->dport_mask = htons(0xffff); 862 sel->sport = xfrm_flowi_sport(fl, &fl4->uli); 863 sel->sport_mask = htons(0xffff); 864 sel->family = AF_INET; 865 sel->prefixlen_d = 32; 866 sel->prefixlen_s = 32; 867 sel->proto = fl4->flowi4_proto; 868 sel->ifindex = fl4->flowi4_oif; 869} 870 871static void 872__xfrm6_init_tempsel(struct xfrm_selector *sel, const struct flowi *fl) 873{ 874 const struct flowi6 *fl6 = &fl->u.ip6; 875 876 /* Initialize temporary selector matching only to current session. */ 877 *(struct in6_addr *)&sel->daddr = fl6->daddr; 878 *(struct in6_addr *)&sel->saddr = fl6->saddr; 879 sel->dport = xfrm_flowi_dport(fl, &fl6->uli); 880 sel->dport_mask = htons(0xffff); 881 sel->sport = xfrm_flowi_sport(fl, &fl6->uli); 882 sel->sport_mask = htons(0xffff); 883 sel->family = AF_INET6; 884 sel->prefixlen_d = 128; 885 sel->prefixlen_s = 128; 886 sel->proto = fl6->flowi6_proto; 887 sel->ifindex = fl6->flowi6_oif; 888} 889 890static void 891xfrm_init_tempstate(struct xfrm_state *x, const struct flowi *fl, 892 const struct xfrm_tmpl *tmpl, 893 const xfrm_address_t *daddr, const xfrm_address_t *saddr, 894 unsigned short family) 895{ 896 switch (family) { 897 case AF_INET: 898 __xfrm4_init_tempsel(&x->sel, fl); 899 break; 900 case AF_INET6: 901 __xfrm6_init_tempsel(&x->sel, fl); 902 break; 903 } 904 905 x->id = tmpl->id; 906 907 switch (tmpl->encap_family) { 908 case AF_INET: 909 if (x->id.daddr.a4 == 0) 910 x->id.daddr.a4 = daddr->a4; 911 x->props.saddr = tmpl->saddr; 912 if (x->props.saddr.a4 == 0) 913 x->props.saddr.a4 = saddr->a4; 914 break; 915 case AF_INET6: 916 if (ipv6_addr_any((struct in6_addr *)&x->id.daddr)) 917 memcpy(&x->id.daddr, daddr, sizeof(x->sel.daddr)); 918 memcpy(&x->props.saddr, &tmpl->saddr, sizeof(x->props.saddr)); 919 if (ipv6_addr_any((struct in6_addr *)&x->props.saddr)) 920 memcpy(&x->props.saddr, saddr, sizeof(x->props.saddr)); 921 break; 922 } 923 924 x->props.mode = tmpl->mode; 925 x->props.reqid = tmpl->reqid; 926 x->props.family = tmpl->encap_family; 927} 928 929static struct xfrm_state *__xfrm_state_lookup(struct net *net, u32 mark, 930 const xfrm_address_t *daddr, 931 __be32 spi, u8 proto, 932 unsigned short family) 933{ 934 unsigned int h = xfrm_spi_hash(net, daddr, spi, proto, family); 935 struct xfrm_state *x; 936 937 hlist_for_each_entry_rcu(x, net->xfrm.state_byspi + h, byspi) { 938 if (x->props.family != family || 939 x->id.spi != spi || 940 x->id.proto != proto || 941 !xfrm_addr_equal(&x->id.daddr, daddr, family)) 942 continue; 943 944 if ((mark & x->mark.m) != x->mark.v) 945 continue; 946 if (!xfrm_state_hold_rcu(x)) 947 continue; 948 return x; 949 } 950 951 return NULL; 952} 953 954static struct xfrm_state *__xfrm_state_lookup_byaddr(struct net *net, u32 mark, 955 const xfrm_address_t *daddr, 956 const xfrm_address_t *saddr, 957 u8 proto, unsigned short family) 958{ 959 unsigned int h = xfrm_src_hash(net, daddr, saddr, family); 960 struct xfrm_state *x; 961 962 hlist_for_each_entry_rcu(x, net->xfrm.state_bysrc + h, bysrc) { 963 if (x->props.family != family || 964 x->id.proto != proto || 965 !xfrm_addr_equal(&x->id.daddr, daddr, family) || 966 !xfrm_addr_equal(&x->props.saddr, saddr, family)) 967 continue; 968 969 if ((mark & x->mark.m) != x->mark.v) 970 continue; 971 if (!xfrm_state_hold_rcu(x)) 972 continue; 973 return x; 974 } 975 976 return NULL; 977} 978 979static inline struct xfrm_state * 980__xfrm_state_locate(struct xfrm_state *x, int use_spi, int family) 981{ 982 struct net *net = xs_net(x); 983 u32 mark = x->mark.v & x->mark.m; 984 985 if (use_spi) 986 return __xfrm_state_lookup(net, mark, &x->id.daddr, 987 x->id.spi, x->id.proto, family); 988 else 989 return __xfrm_state_lookup_byaddr(net, mark, 990 &x->id.daddr, 991 &x->props.saddr, 992 x->id.proto, family); 993} 994 995static void xfrm_hash_grow_check(struct net *net, int have_hash_collision) 996{ 997 if (have_hash_collision && 998 (net->xfrm.state_hmask + 1) < xfrm_state_hashmax && 999 net->xfrm.state_num > net->xfrm.state_hmask) 1000 schedule_work(&net->xfrm.state_hash_work); 1001} 1002 1003static void xfrm_state_look_at(struct xfrm_policy *pol, struct xfrm_state *x, 1004 const struct flowi *fl, unsigned short family, 1005 struct xfrm_state **best, int *acq_in_progress, 1006 int *error) 1007{ 1008 /* Resolution logic: 1009 * 1. There is a valid state with matching selector. Done. 1010 * 2. Valid state with inappropriate selector. Skip. 1011 * 1012 * Entering area of "sysdeps". 1013 * 1014 * 3. If state is not valid, selector is temporary, it selects 1015 * only session which triggered previous resolution. Key 1016 * manager will do something to install a state with proper 1017 * selector. 1018 */ 1019 if (x->km.state == XFRM_STATE_VALID) { 1020 if ((x->sel.family && 1021 (x->sel.family != family || 1022 !xfrm_selector_match(&x->sel, fl, family))) || 1023 !security_xfrm_state_pol_flow_match(x, pol, 1024 &fl->u.__fl_common)) 1025 return; 1026 1027 if (!*best || 1028 (*best)->km.dying > x->km.dying || 1029 ((*best)->km.dying == x->km.dying && 1030 (*best)->curlft.add_time < x->curlft.add_time)) 1031 *best = x; 1032 } else if (x->km.state == XFRM_STATE_ACQ) { 1033 *acq_in_progress = 1; 1034 } else if (x->km.state == XFRM_STATE_ERROR || 1035 x->km.state == XFRM_STATE_EXPIRED) { 1036 if ((!x->sel.family || 1037 (x->sel.family == family && 1038 xfrm_selector_match(&x->sel, fl, family))) && 1039 security_xfrm_state_pol_flow_match(x, pol, 1040 &fl->u.__fl_common)) 1041 *error = -ESRCH; 1042 } 1043} 1044 1045struct xfrm_state * 1046xfrm_state_find(const xfrm_address_t *daddr, const xfrm_address_t *saddr, 1047 const struct flowi *fl, struct xfrm_tmpl *tmpl, 1048 struct xfrm_policy *pol, int *err, 1049 unsigned short family, u32 if_id) 1050{ 1051 static xfrm_address_t saddr_wildcard = { }; 1052 struct net *net = xp_net(pol); 1053 unsigned int h, h_wildcard; 1054 struct xfrm_state *x, *x0, *to_put; 1055 int acquire_in_progress = 0; 1056 int error = 0; 1057 struct xfrm_state *best = NULL; 1058 u32 mark = pol->mark.v & pol->mark.m; 1059 unsigned short encap_family = tmpl->encap_family; 1060 unsigned int sequence; 1061 struct km_event c; 1062 1063 to_put = NULL; 1064 1065 sequence = read_seqcount_begin(&net->xfrm.xfrm_state_hash_generation); 1066 1067 rcu_read_lock(); 1068 h = xfrm_dst_hash(net, daddr, saddr, tmpl->reqid, encap_family); 1069 hlist_for_each_entry_rcu(x, net->xfrm.state_bydst + h, bydst) { 1070 if (x->props.family == encap_family && 1071 x->props.reqid == tmpl->reqid && 1072 (mark & x->mark.m) == x->mark.v && 1073 x->if_id == if_id && 1074 !(x->props.flags & XFRM_STATE_WILDRECV) && 1075 xfrm_state_addr_check(x, daddr, saddr, encap_family) && 1076 tmpl->mode == x->props.mode && 1077 tmpl->id.proto == x->id.proto && 1078 (tmpl->id.spi == x->id.spi || !tmpl->id.spi)) 1079 xfrm_state_look_at(pol, x, fl, family, 1080 &best, &acquire_in_progress, &error); 1081 } 1082 if (best || acquire_in_progress) 1083 goto found; 1084 1085 h_wildcard = xfrm_dst_hash(net, daddr, &saddr_wildcard, tmpl->reqid, encap_family); 1086 hlist_for_each_entry_rcu(x, net->xfrm.state_bydst + h_wildcard, bydst) { 1087 if (x->props.family == encap_family && 1088 x->props.reqid == tmpl->reqid && 1089 (mark & x->mark.m) == x->mark.v && 1090 x->if_id == if_id && 1091 !(x->props.flags & XFRM_STATE_WILDRECV) && 1092 xfrm_addr_equal(&x->id.daddr, daddr, encap_family) && 1093 tmpl->mode == x->props.mode && 1094 tmpl->id.proto == x->id.proto && 1095 (tmpl->id.spi == x->id.spi || !tmpl->id.spi)) 1096 xfrm_state_look_at(pol, x, fl, family, 1097 &best, &acquire_in_progress, &error); 1098 } 1099 1100found: 1101 x = best; 1102 if (!x && !error && !acquire_in_progress) { 1103 if (tmpl->id.spi && 1104 (x0 = __xfrm_state_lookup(net, mark, daddr, tmpl->id.spi, 1105 tmpl->id.proto, encap_family)) != NULL) { 1106 to_put = x0; 1107 error = -EEXIST; 1108 goto out; 1109 } 1110 1111 c.net = net; 1112 /* If the KMs have no listeners (yet...), avoid allocating an SA 1113 * for each and every packet - garbage collection might not 1114 * handle the flood. 1115 */ 1116 if (!km_is_alive(&c)) { 1117 error = -ESRCH; 1118 goto out; 1119 } 1120 1121 x = xfrm_state_alloc(net); 1122 if (x == NULL) { 1123 error = -ENOMEM; 1124 goto out; 1125 } 1126 /* Initialize temporary state matching only 1127 * to current session. */ 1128 xfrm_init_tempstate(x, fl, tmpl, daddr, saddr, family); 1129 memcpy(&x->mark, &pol->mark, sizeof(x->mark)); 1130 x->if_id = if_id; 1131 1132 error = security_xfrm_state_alloc_acquire(x, pol->security, fl->flowi_secid); 1133 if (error) { 1134 x->km.state = XFRM_STATE_DEAD; 1135 to_put = x; 1136 x = NULL; 1137 goto out; 1138 } 1139 1140 if (km_query(x, tmpl, pol) == 0) { 1141 spin_lock_bh(&net->xfrm.xfrm_state_lock); 1142 x->km.state = XFRM_STATE_ACQ; 1143 list_add(&x->km.all, &net->xfrm.state_all); 1144 hlist_add_head_rcu(&x->bydst, net->xfrm.state_bydst + h); 1145 h = xfrm_src_hash(net, daddr, saddr, encap_family); 1146 hlist_add_head_rcu(&x->bysrc, net->xfrm.state_bysrc + h); 1147 if (x->id.spi) { 1148 h = xfrm_spi_hash(net, &x->id.daddr, x->id.spi, x->id.proto, encap_family); 1149 hlist_add_head_rcu(&x->byspi, net->xfrm.state_byspi + h); 1150 } 1151 x->lft.hard_add_expires_seconds = net->xfrm.sysctl_acq_expires; 1152 hrtimer_start(&x->mtimer, 1153 ktime_set(net->xfrm.sysctl_acq_expires, 0), 1154 HRTIMER_MODE_REL_SOFT); 1155 net->xfrm.state_num++; 1156 xfrm_hash_grow_check(net, x->bydst.next != NULL); 1157 spin_unlock_bh(&net->xfrm.xfrm_state_lock); 1158 } else { 1159 x->km.state = XFRM_STATE_DEAD; 1160 to_put = x; 1161 x = NULL; 1162 error = -ESRCH; 1163 } 1164 } 1165out: 1166 if (x) { 1167 if (!xfrm_state_hold_rcu(x)) { 1168 *err = -EAGAIN; 1169 x = NULL; 1170 } 1171 } else { 1172 *err = acquire_in_progress ? -EAGAIN : error; 1173 } 1174 rcu_read_unlock(); 1175 if (to_put) 1176 xfrm_state_put(to_put); 1177 1178 if (read_seqcount_retry(&net->xfrm.xfrm_state_hash_generation, sequence)) { 1179 *err = -EAGAIN; 1180 if (x) { 1181 xfrm_state_put(x); 1182 x = NULL; 1183 } 1184 } 1185 1186 return x; 1187} 1188 1189struct xfrm_state * 1190xfrm_stateonly_find(struct net *net, u32 mark, u32 if_id, 1191 xfrm_address_t *daddr, xfrm_address_t *saddr, 1192 unsigned short family, u8 mode, u8 proto, u32 reqid) 1193{ 1194 unsigned int h; 1195 struct xfrm_state *rx = NULL, *x = NULL; 1196 1197 spin_lock_bh(&net->xfrm.xfrm_state_lock); 1198 h = xfrm_dst_hash(net, daddr, saddr, reqid, family); 1199 hlist_for_each_entry(x, net->xfrm.state_bydst+h, bydst) { 1200 if (x->props.family == family && 1201 x->props.reqid == reqid && 1202 (mark & x->mark.m) == x->mark.v && 1203 x->if_id == if_id && 1204 !(x->props.flags & XFRM_STATE_WILDRECV) && 1205 xfrm_state_addr_check(x, daddr, saddr, family) && 1206 mode == x->props.mode && 1207 proto == x->id.proto && 1208 x->km.state == XFRM_STATE_VALID) { 1209 rx = x; 1210 break; 1211 } 1212 } 1213 1214 if (rx) 1215 xfrm_state_hold(rx); 1216 spin_unlock_bh(&net->xfrm.xfrm_state_lock); 1217 1218 1219 return rx; 1220} 1221EXPORT_SYMBOL(xfrm_stateonly_find); 1222 1223struct xfrm_state *xfrm_state_lookup_byspi(struct net *net, __be32 spi, 1224 unsigned short family) 1225{ 1226 struct xfrm_state *x; 1227 struct xfrm_state_walk *w; 1228 1229 spin_lock_bh(&net->xfrm.xfrm_state_lock); 1230 list_for_each_entry(w, &net->xfrm.state_all, all) { 1231 x = container_of(w, struct xfrm_state, km); 1232 if (x->props.family != family || 1233 x->id.spi != spi) 1234 continue; 1235 1236 xfrm_state_hold(x); 1237 spin_unlock_bh(&net->xfrm.xfrm_state_lock); 1238 return x; 1239 } 1240 spin_unlock_bh(&net->xfrm.xfrm_state_lock); 1241 return NULL; 1242} 1243EXPORT_SYMBOL(xfrm_state_lookup_byspi); 1244 1245static void __xfrm_state_insert(struct xfrm_state *x) 1246{ 1247 struct net *net = xs_net(x); 1248 unsigned int h; 1249 1250 list_add(&x->km.all, &net->xfrm.state_all); 1251 1252 h = xfrm_dst_hash(net, &x->id.daddr, &x->props.saddr, 1253 x->props.reqid, x->props.family); 1254 hlist_add_head_rcu(&x->bydst, net->xfrm.state_bydst + h); 1255 1256 h = xfrm_src_hash(net, &x->id.daddr, &x->props.saddr, x->props.family); 1257 hlist_add_head_rcu(&x->bysrc, net->xfrm.state_bysrc + h); 1258 1259 if (x->id.spi) { 1260 h = xfrm_spi_hash(net, &x->id.daddr, x->id.spi, x->id.proto, 1261 x->props.family); 1262 1263 hlist_add_head_rcu(&x->byspi, net->xfrm.state_byspi + h); 1264 } 1265 1266 hrtimer_start(&x->mtimer, ktime_set(1, 0), HRTIMER_MODE_REL_SOFT); 1267 if (x->replay_maxage) 1268 mod_timer(&x->rtimer, jiffies + x->replay_maxage); 1269 1270 net->xfrm.state_num++; 1271 1272 xfrm_hash_grow_check(net, x->bydst.next != NULL); 1273} 1274 1275/* net->xfrm.xfrm_state_lock is held */ 1276static void __xfrm_state_bump_genids(struct xfrm_state *xnew) 1277{ 1278 struct net *net = xs_net(xnew); 1279 unsigned short family = xnew->props.family; 1280 u32 reqid = xnew->props.reqid; 1281 struct xfrm_state *x; 1282 unsigned int h; 1283 u32 mark = xnew->mark.v & xnew->mark.m; 1284 u32 if_id = xnew->if_id; 1285 1286 h = xfrm_dst_hash(net, &xnew->id.daddr, &xnew->props.saddr, reqid, family); 1287 hlist_for_each_entry(x, net->xfrm.state_bydst+h, bydst) { 1288 if (x->props.family == family && 1289 x->props.reqid == reqid && 1290 x->if_id == if_id && 1291 (mark & x->mark.m) == x->mark.v && 1292 xfrm_addr_equal(&x->id.daddr, &xnew->id.daddr, family) && 1293 xfrm_addr_equal(&x->props.saddr, &xnew->props.saddr, family)) 1294 x->genid++; 1295 } 1296} 1297 1298void xfrm_state_insert(struct xfrm_state *x) 1299{ 1300 struct net *net = xs_net(x); 1301 1302 spin_lock_bh(&net->xfrm.xfrm_state_lock); 1303 __xfrm_state_bump_genids(x); 1304 __xfrm_state_insert(x); 1305 spin_unlock_bh(&net->xfrm.xfrm_state_lock); 1306} 1307EXPORT_SYMBOL(xfrm_state_insert); 1308 1309/* net->xfrm.xfrm_state_lock is held */ 1310static struct xfrm_state *__find_acq_core(struct net *net, 1311 const struct xfrm_mark *m, 1312 unsigned short family, u8 mode, 1313 u32 reqid, u32 if_id, u8 proto, 1314 const xfrm_address_t *daddr, 1315 const xfrm_address_t *saddr, 1316 int create) 1317{ 1318 unsigned int h = xfrm_dst_hash(net, daddr, saddr, reqid, family); 1319 struct xfrm_state *x; 1320 u32 mark = m->v & m->m; 1321 1322 hlist_for_each_entry(x, net->xfrm.state_bydst+h, bydst) { 1323 if (x->props.reqid != reqid || 1324 x->props.mode != mode || 1325 x->props.family != family || 1326 x->km.state != XFRM_STATE_ACQ || 1327 x->id.spi != 0 || 1328 x->id.proto != proto || 1329 (mark & x->mark.m) != x->mark.v || 1330 !xfrm_addr_equal(&x->id.daddr, daddr, family) || 1331 !xfrm_addr_equal(&x->props.saddr, saddr, family)) 1332 continue; 1333 1334 xfrm_state_hold(x); 1335 return x; 1336 } 1337 1338 if (!create) 1339 return NULL; 1340 1341 x = xfrm_state_alloc(net); 1342 if (likely(x)) { 1343 switch (family) { 1344 case AF_INET: 1345 x->sel.daddr.a4 = daddr->a4; 1346 x->sel.saddr.a4 = saddr->a4; 1347 x->sel.prefixlen_d = 32; 1348 x->sel.prefixlen_s = 32; 1349 x->props.saddr.a4 = saddr->a4; 1350 x->id.daddr.a4 = daddr->a4; 1351 break; 1352 1353 case AF_INET6: 1354 x->sel.daddr.in6 = daddr->in6; 1355 x->sel.saddr.in6 = saddr->in6; 1356 x->sel.prefixlen_d = 128; 1357 x->sel.prefixlen_s = 128; 1358 x->props.saddr.in6 = saddr->in6; 1359 x->id.daddr.in6 = daddr->in6; 1360 break; 1361 } 1362 1363 x->km.state = XFRM_STATE_ACQ; 1364 x->id.proto = proto; 1365 x->props.family = family; 1366 x->props.mode = mode; 1367 x->props.reqid = reqid; 1368 x->if_id = if_id; 1369 x->mark.v = m->v; 1370 x->mark.m = m->m; 1371 x->lft.hard_add_expires_seconds = net->xfrm.sysctl_acq_expires; 1372 xfrm_state_hold(x); 1373 hrtimer_start(&x->mtimer, 1374 ktime_set(net->xfrm.sysctl_acq_expires, 0), 1375 HRTIMER_MODE_REL_SOFT); 1376 list_add(&x->km.all, &net->xfrm.state_all); 1377 hlist_add_head_rcu(&x->bydst, net->xfrm.state_bydst + h); 1378 h = xfrm_src_hash(net, daddr, saddr, family); 1379 hlist_add_head_rcu(&x->bysrc, net->xfrm.state_bysrc + h); 1380 1381 net->xfrm.state_num++; 1382 1383 xfrm_hash_grow_check(net, x->bydst.next != NULL); 1384 } 1385 1386 return x; 1387} 1388 1389static struct xfrm_state *__xfrm_find_acq_byseq(struct net *net, u32 mark, u32 seq); 1390 1391int xfrm_state_add(struct xfrm_state *x) 1392{ 1393 struct net *net = xs_net(x); 1394 struct xfrm_state *x1, *to_put; 1395 int family; 1396 int err; 1397 u32 mark = x->mark.v & x->mark.m; 1398 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY); 1399 1400 family = x->props.family; 1401 1402 to_put = NULL; 1403 1404 spin_lock_bh(&net->xfrm.xfrm_state_lock); 1405 1406 x1 = __xfrm_state_locate(x, use_spi, family); 1407 if (x1) { 1408 to_put = x1; 1409 x1 = NULL; 1410 err = -EEXIST; 1411 goto out; 1412 } 1413 1414 if (use_spi && x->km.seq) { 1415 x1 = __xfrm_find_acq_byseq(net, mark, x->km.seq); 1416 if (x1 && ((x1->id.proto != x->id.proto) || 1417 !xfrm_addr_equal(&x1->id.daddr, &x->id.daddr, family))) { 1418 to_put = x1; 1419 x1 = NULL; 1420 } 1421 } 1422 1423 if (use_spi && !x1) 1424 x1 = __find_acq_core(net, &x->mark, family, x->props.mode, 1425 x->props.reqid, x->if_id, x->id.proto, 1426 &x->id.daddr, &x->props.saddr, 0); 1427 1428 __xfrm_state_bump_genids(x); 1429 __xfrm_state_insert(x); 1430 err = 0; 1431 1432out: 1433 spin_unlock_bh(&net->xfrm.xfrm_state_lock); 1434 1435 if (x1) { 1436 xfrm_state_delete(x1); 1437 xfrm_state_put(x1); 1438 } 1439 1440 if (to_put) 1441 xfrm_state_put(to_put); 1442 1443 return err; 1444} 1445EXPORT_SYMBOL(xfrm_state_add); 1446 1447#ifdef CONFIG_XFRM_MIGRATE 1448static inline int clone_security(struct xfrm_state *x, struct xfrm_sec_ctx *security) 1449{ 1450 struct xfrm_user_sec_ctx *uctx; 1451 int size = sizeof(*uctx) + security->ctx_len; 1452 int err; 1453 1454 uctx = kmalloc(size, GFP_KERNEL); 1455 if (!uctx) 1456 return -ENOMEM; 1457 1458 uctx->exttype = XFRMA_SEC_CTX; 1459 uctx->len = size; 1460 uctx->ctx_doi = security->ctx_doi; 1461 uctx->ctx_alg = security->ctx_alg; 1462 uctx->ctx_len = security->ctx_len; 1463 memcpy(uctx + 1, security->ctx_str, security->ctx_len); 1464 err = security_xfrm_state_alloc(x, uctx); 1465 kfree(uctx); 1466 if (err) 1467 return err; 1468 1469 return 0; 1470} 1471 1472static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig, 1473 struct xfrm_encap_tmpl *encap) 1474{ 1475 struct net *net = xs_net(orig); 1476 struct xfrm_state *x = xfrm_state_alloc(net); 1477 if (!x) 1478 goto out; 1479 1480 memcpy(&x->id, &orig->id, sizeof(x->id)); 1481 memcpy(&x->sel, &orig->sel, sizeof(x->sel)); 1482 memcpy(&x->lft, &orig->lft, sizeof(x->lft)); 1483 x->props.mode = orig->props.mode; 1484 x->props.replay_window = orig->props.replay_window; 1485 x->props.reqid = orig->props.reqid; 1486 x->props.family = orig->props.family; 1487 x->props.saddr = orig->props.saddr; 1488 1489 if (orig->aalg) { 1490 x->aalg = xfrm_algo_auth_clone(orig->aalg); 1491 if (!x->aalg) 1492 goto error; 1493 } 1494 x->props.aalgo = orig->props.aalgo; 1495 1496 if (orig->aead) { 1497 x->aead = xfrm_algo_aead_clone(orig->aead); 1498 x->geniv = orig->geniv; 1499 if (!x->aead) 1500 goto error; 1501 } 1502 if (orig->ealg) { 1503 x->ealg = xfrm_algo_clone(orig->ealg); 1504 if (!x->ealg) 1505 goto error; 1506 } 1507 x->props.ealgo = orig->props.ealgo; 1508 1509 if (orig->calg) { 1510 x->calg = xfrm_algo_clone(orig->calg); 1511 if (!x->calg) 1512 goto error; 1513 } 1514 x->props.calgo = orig->props.calgo; 1515 1516 if (encap || orig->encap) { 1517 if (encap) 1518 x->encap = kmemdup(encap, sizeof(*x->encap), 1519 GFP_KERNEL); 1520 else 1521 x->encap = kmemdup(orig->encap, sizeof(*x->encap), 1522 GFP_KERNEL); 1523 1524 if (!x->encap) 1525 goto error; 1526 } 1527 1528 if (orig->security) 1529 if (clone_security(x, orig->security)) 1530 goto error; 1531 1532 if (orig->coaddr) { 1533 x->coaddr = kmemdup(orig->coaddr, sizeof(*x->coaddr), 1534 GFP_KERNEL); 1535 if (!x->coaddr) 1536 goto error; 1537 } 1538 1539 if (orig->replay_esn) { 1540 if (xfrm_replay_clone(x, orig)) 1541 goto error; 1542 } 1543 1544 memcpy(&x->mark, &orig->mark, sizeof(x->mark)); 1545 memcpy(&x->props.smark, &orig->props.smark, sizeof(x->props.smark)); 1546 1547 x->props.flags = orig->props.flags; 1548 x->props.extra_flags = orig->props.extra_flags; 1549 1550 x->if_id = orig->if_id; 1551 x->tfcpad = orig->tfcpad; 1552 x->replay_maxdiff = orig->replay_maxdiff; 1553 x->replay_maxage = orig->replay_maxage; 1554 memcpy(&x->curlft, &orig->curlft, sizeof(x->curlft)); 1555 x->km.state = orig->km.state; 1556 x->km.seq = orig->km.seq; 1557 x->replay = orig->replay; 1558 x->preplay = orig->preplay; 1559 x->mapping_maxage = orig->mapping_maxage; 1560 x->lastused = orig->lastused; 1561 x->new_mapping = 0; 1562 x->new_mapping_sport = 0; 1563 1564 return x; 1565 1566 error: 1567 xfrm_state_put(x); 1568out: 1569 return NULL; 1570} 1571 1572struct xfrm_state *xfrm_migrate_state_find(struct xfrm_migrate *m, struct net *net, 1573 u32 if_id) 1574{ 1575 unsigned int h; 1576 struct xfrm_state *x = NULL; 1577 1578 spin_lock_bh(&net->xfrm.xfrm_state_lock); 1579 1580 if (m->reqid) { 1581 h = xfrm_dst_hash(net, &m->old_daddr, &m->old_saddr, 1582 m->reqid, m->old_family); 1583 hlist_for_each_entry(x, net->xfrm.state_bydst+h, bydst) { 1584 if (x->props.mode != m->mode || 1585 x->id.proto != m->proto) 1586 continue; 1587 if (m->reqid && x->props.reqid != m->reqid) 1588 continue; 1589 if (if_id != 0 && x->if_id != if_id) 1590 continue; 1591 if (!xfrm_addr_equal(&x->id.daddr, &m->old_daddr, 1592 m->old_family) || 1593 !xfrm_addr_equal(&x->props.saddr, &m->old_saddr, 1594 m->old_family)) 1595 continue; 1596 xfrm_state_hold(x); 1597 break; 1598 } 1599 } else { 1600 h = xfrm_src_hash(net, &m->old_daddr, &m->old_saddr, 1601 m->old_family); 1602 hlist_for_each_entry(x, net->xfrm.state_bysrc+h, bysrc) { 1603 if (x->props.mode != m->mode || 1604 x->id.proto != m->proto) 1605 continue; 1606 if (if_id != 0 && x->if_id != if_id) 1607 continue; 1608 if (!xfrm_addr_equal(&x->id.daddr, &m->old_daddr, 1609 m->old_family) || 1610 !xfrm_addr_equal(&x->props.saddr, &m->old_saddr, 1611 m->old_family)) 1612 continue; 1613 xfrm_state_hold(x); 1614 break; 1615 } 1616 } 1617 1618 spin_unlock_bh(&net->xfrm.xfrm_state_lock); 1619 1620 return x; 1621} 1622EXPORT_SYMBOL(xfrm_migrate_state_find); 1623 1624struct xfrm_state *xfrm_state_migrate(struct xfrm_state *x, 1625 struct xfrm_migrate *m, 1626 struct xfrm_encap_tmpl *encap) 1627{ 1628 struct xfrm_state *xc; 1629 1630 xc = xfrm_state_clone(x, encap); 1631 if (!xc) 1632 return NULL; 1633 1634 xc->props.family = m->new_family; 1635 1636 if (xfrm_init_state(xc) < 0) 1637 goto error; 1638 1639 memcpy(&xc->id.daddr, &m->new_daddr, sizeof(xc->id.daddr)); 1640 memcpy(&xc->props.saddr, &m->new_saddr, sizeof(xc->props.saddr)); 1641 1642 /* add state */ 1643 if (xfrm_addr_equal(&x->id.daddr, &m->new_daddr, m->new_family)) { 1644 /* a care is needed when the destination address of the 1645 state is to be updated as it is a part of triplet */ 1646 xfrm_state_insert(xc); 1647 } else { 1648 if (xfrm_state_add(xc) < 0) 1649 goto error; 1650 } 1651 1652 return xc; 1653error: 1654 xfrm_state_put(xc); 1655 return NULL; 1656} 1657EXPORT_SYMBOL(xfrm_state_migrate); 1658#endif 1659 1660int xfrm_state_update(struct xfrm_state *x) 1661{ 1662 struct xfrm_state *x1, *to_put; 1663 int err; 1664 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY); 1665 struct net *net = xs_net(x); 1666 1667 to_put = NULL; 1668 1669 spin_lock_bh(&net->xfrm.xfrm_state_lock); 1670 x1 = __xfrm_state_locate(x, use_spi, x->props.family); 1671 1672 err = -ESRCH; 1673 if (!x1) 1674 goto out; 1675 1676 if (xfrm_state_kern(x1)) { 1677 to_put = x1; 1678 err = -EEXIST; 1679 goto out; 1680 } 1681 1682 if (x1->km.state == XFRM_STATE_ACQ) { 1683 __xfrm_state_insert(x); 1684 x = NULL; 1685 } 1686 err = 0; 1687 1688out: 1689 spin_unlock_bh(&net->xfrm.xfrm_state_lock); 1690 1691 if (to_put) 1692 xfrm_state_put(to_put); 1693 1694 if (err) 1695 return err; 1696 1697 if (!x) { 1698 xfrm_state_delete(x1); 1699 xfrm_state_put(x1); 1700 return 0; 1701 } 1702 1703 err = -EINVAL; 1704 spin_lock_bh(&x1->lock); 1705 if (likely(x1->km.state == XFRM_STATE_VALID)) { 1706 if (x->encap && x1->encap && 1707 x->encap->encap_type == x1->encap->encap_type) 1708 memcpy(x1->encap, x->encap, sizeof(*x1->encap)); 1709 else if (x->encap || x1->encap) 1710 goto fail; 1711 1712 if (x->coaddr && x1->coaddr) { 1713 memcpy(x1->coaddr, x->coaddr, sizeof(*x1->coaddr)); 1714 } 1715 if (!use_spi && memcmp(&x1->sel, &x->sel, sizeof(x1->sel))) 1716 memcpy(&x1->sel, &x->sel, sizeof(x1->sel)); 1717 memcpy(&x1->lft, &x->lft, sizeof(x1->lft)); 1718 x1->km.dying = 0; 1719 1720 hrtimer_start(&x1->mtimer, ktime_set(1, 0), 1721 HRTIMER_MODE_REL_SOFT); 1722 if (x1->curlft.use_time) 1723 xfrm_state_check_expire(x1); 1724 1725 if (x->props.smark.m || x->props.smark.v || x->if_id) { 1726 spin_lock_bh(&net->xfrm.xfrm_state_lock); 1727 1728 if (x->props.smark.m || x->props.smark.v) 1729 x1->props.smark = x->props.smark; 1730 1731 if (x->if_id) 1732 x1->if_id = x->if_id; 1733 1734 __xfrm_state_bump_genids(x1); 1735 spin_unlock_bh(&net->xfrm.xfrm_state_lock); 1736 } 1737 1738 err = 0; 1739 x->km.state = XFRM_STATE_DEAD; 1740 __xfrm_state_put(x); 1741 } 1742 1743fail: 1744 spin_unlock_bh(&x1->lock); 1745 1746 xfrm_state_put(x1); 1747 1748 return err; 1749} 1750EXPORT_SYMBOL(xfrm_state_update); 1751 1752int xfrm_state_check_expire(struct xfrm_state *x) 1753{ 1754 if (!x->curlft.use_time) 1755 x->curlft.use_time = ktime_get_real_seconds(); 1756 1757 if (x->curlft.bytes >= x->lft.hard_byte_limit || 1758 x->curlft.packets >= x->lft.hard_packet_limit) { 1759 x->km.state = XFRM_STATE_EXPIRED; 1760 hrtimer_start(&x->mtimer, 0, HRTIMER_MODE_REL_SOFT); 1761 return -EINVAL; 1762 } 1763 1764 if (!x->km.dying && 1765 (x->curlft.bytes >= x->lft.soft_byte_limit || 1766 x->curlft.packets >= x->lft.soft_packet_limit)) { 1767 x->km.dying = 1; 1768 km_state_expired(x, 0, 0); 1769 } 1770 return 0; 1771} 1772EXPORT_SYMBOL(xfrm_state_check_expire); 1773 1774struct xfrm_state * 1775xfrm_state_lookup(struct net *net, u32 mark, const xfrm_address_t *daddr, __be32 spi, 1776 u8 proto, unsigned short family) 1777{ 1778 struct xfrm_state *x; 1779 1780 rcu_read_lock(); 1781 x = __xfrm_state_lookup(net, mark, daddr, spi, proto, family); 1782 rcu_read_unlock(); 1783 return x; 1784} 1785EXPORT_SYMBOL(xfrm_state_lookup); 1786 1787struct xfrm_state * 1788xfrm_state_lookup_byaddr(struct net *net, u32 mark, 1789 const xfrm_address_t *daddr, const xfrm_address_t *saddr, 1790 u8 proto, unsigned short family) 1791{ 1792 struct xfrm_state *x; 1793 1794 spin_lock_bh(&net->xfrm.xfrm_state_lock); 1795 x = __xfrm_state_lookup_byaddr(net, mark, daddr, saddr, proto, family); 1796 spin_unlock_bh(&net->xfrm.xfrm_state_lock); 1797 return x; 1798} 1799EXPORT_SYMBOL(xfrm_state_lookup_byaddr); 1800 1801struct xfrm_state * 1802xfrm_find_acq(struct net *net, const struct xfrm_mark *mark, u8 mode, u32 reqid, 1803 u32 if_id, u8 proto, const xfrm_address_t *daddr, 1804 const xfrm_address_t *saddr, int create, unsigned short family) 1805{ 1806 struct xfrm_state *x; 1807 1808 spin_lock_bh(&net->xfrm.xfrm_state_lock); 1809 x = __find_acq_core(net, mark, family, mode, reqid, if_id, proto, daddr, saddr, create); 1810 spin_unlock_bh(&net->xfrm.xfrm_state_lock); 1811 1812 return x; 1813} 1814EXPORT_SYMBOL(xfrm_find_acq); 1815 1816#ifdef CONFIG_XFRM_SUB_POLICY 1817#if IS_ENABLED(CONFIG_IPV6) 1818/* distribution counting sort function for xfrm_state and xfrm_tmpl */ 1819static void 1820__xfrm6_sort(void **dst, void **src, int n, 1821 int (*cmp)(const void *p), int maxclass) 1822{ 1823 int count[XFRM_MAX_DEPTH] = { }; 1824 int class[XFRM_MAX_DEPTH]; 1825 int i; 1826 1827 for (i = 0; i < n; i++) { 1828 int c = cmp(src[i]); 1829 1830 class[i] = c; 1831 count[c]++; 1832 } 1833 1834 for (i = 2; i < maxclass; i++) 1835 count[i] += count[i - 1]; 1836 1837 for (i = 0; i < n; i++) { 1838 dst[count[class[i] - 1]++] = src[i]; 1839 src[i] = NULL; 1840 } 1841} 1842 1843/* Rule for xfrm_state: 1844 * 1845 * rule 1: select IPsec transport except AH 1846 * rule 2: select MIPv6 RO or inbound trigger 1847 * rule 3: select IPsec transport AH 1848 * rule 4: select IPsec tunnel 1849 * rule 5: others 1850 */ 1851static int __xfrm6_state_sort_cmp(const void *p) 1852{ 1853 const struct xfrm_state *v = p; 1854 1855 switch (v->props.mode) { 1856 case XFRM_MODE_TRANSPORT: 1857 if (v->id.proto != IPPROTO_AH) 1858 return 1; 1859 else 1860 return 3; 1861#if IS_ENABLED(CONFIG_IPV6_MIP6) 1862 case XFRM_MODE_ROUTEOPTIMIZATION: 1863 case XFRM_MODE_IN_TRIGGER: 1864 return 2; 1865#endif 1866 case XFRM_MODE_TUNNEL: 1867 case XFRM_MODE_BEET: 1868 return 4; 1869 } 1870 return 5; 1871} 1872 1873/* Rule for xfrm_tmpl: 1874 * 1875 * rule 1: select IPsec transport 1876 * rule 2: select MIPv6 RO or inbound trigger 1877 * rule 3: select IPsec tunnel 1878 * rule 4: others 1879 */ 1880static int __xfrm6_tmpl_sort_cmp(const void *p) 1881{ 1882 const struct xfrm_tmpl *v = p; 1883 1884 switch (v->mode) { 1885 case XFRM_MODE_TRANSPORT: 1886 return 1; 1887#if IS_ENABLED(CONFIG_IPV6_MIP6) 1888 case XFRM_MODE_ROUTEOPTIMIZATION: 1889 case XFRM_MODE_IN_TRIGGER: 1890 return 2; 1891#endif 1892 case XFRM_MODE_TUNNEL: 1893 case XFRM_MODE_BEET: 1894 return 3; 1895 } 1896 return 4; 1897} 1898#else 1899static inline int __xfrm6_state_sort_cmp(const void *p) { return 5; } 1900static inline int __xfrm6_tmpl_sort_cmp(const void *p) { return 4; } 1901 1902static inline void 1903__xfrm6_sort(void **dst, void **src, int n, 1904 int (*cmp)(const void *p), int maxclass) 1905{ 1906 int i; 1907 1908 for (i = 0; i < n; i++) 1909 dst[i] = src[i]; 1910} 1911#endif /* CONFIG_IPV6 */ 1912 1913void 1914xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n, 1915 unsigned short family) 1916{ 1917 int i; 1918 1919 if (family == AF_INET6) 1920 __xfrm6_sort((void **)dst, (void **)src, n, 1921 __xfrm6_tmpl_sort_cmp, 5); 1922 else 1923 for (i = 0; i < n; i++) 1924 dst[i] = src[i]; 1925} 1926 1927void 1928xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n, 1929 unsigned short family) 1930{ 1931 int i; 1932 1933 if (family == AF_INET6) 1934 __xfrm6_sort((void **)dst, (void **)src, n, 1935 __xfrm6_state_sort_cmp, 6); 1936 else 1937 for (i = 0; i < n; i++) 1938 dst[i] = src[i]; 1939} 1940#endif 1941 1942/* Silly enough, but I'm lazy to build resolution list */ 1943 1944static struct xfrm_state *__xfrm_find_acq_byseq(struct net *net, u32 mark, u32 seq) 1945{ 1946 int i; 1947 1948 for (i = 0; i <= net->xfrm.state_hmask; i++) { 1949 struct xfrm_state *x; 1950 1951 hlist_for_each_entry(x, net->xfrm.state_bydst+i, bydst) { 1952 if (x->km.seq == seq && 1953 (mark & x->mark.m) == x->mark.v && 1954 x->km.state == XFRM_STATE_ACQ) { 1955 xfrm_state_hold(x); 1956 return x; 1957 } 1958 } 1959 } 1960 return NULL; 1961} 1962 1963struct xfrm_state *xfrm_find_acq_byseq(struct net *net, u32 mark, u32 seq) 1964{ 1965 struct xfrm_state *x; 1966 1967 spin_lock_bh(&net->xfrm.xfrm_state_lock); 1968 x = __xfrm_find_acq_byseq(net, mark, seq); 1969 spin_unlock_bh(&net->xfrm.xfrm_state_lock); 1970 return x; 1971} 1972EXPORT_SYMBOL(xfrm_find_acq_byseq); 1973 1974u32 xfrm_get_acqseq(void) 1975{ 1976 u32 res; 1977 static atomic_t acqseq; 1978 1979 do { 1980 res = atomic_inc_return(&acqseq); 1981 } while (!res); 1982 1983 return res; 1984} 1985EXPORT_SYMBOL(xfrm_get_acqseq); 1986 1987int verify_spi_info(u8 proto, u32 min, u32 max) 1988{ 1989 switch (proto) { 1990 case IPPROTO_AH: 1991 case IPPROTO_ESP: 1992 break; 1993 1994 case IPPROTO_COMP: 1995 /* IPCOMP spi is 16-bits. */ 1996 if (max >= 0x10000) 1997 return -EINVAL; 1998 break; 1999 2000 default: 2001 return -EINVAL; 2002 } 2003 2004 if (min > max) 2005 return -EINVAL; 2006 2007 return 0; 2008} 2009EXPORT_SYMBOL(verify_spi_info); 2010 2011int xfrm_alloc_spi(struct xfrm_state *x, u32 low, u32 high) 2012{ 2013 struct net *net = xs_net(x); 2014 unsigned int h; 2015 struct xfrm_state *x0; 2016 int err = -ENOENT; 2017 __be32 minspi = htonl(low); 2018 __be32 maxspi = htonl(high); 2019 __be32 newspi = 0; 2020 u32 mark = x->mark.v & x->mark.m; 2021 2022 spin_lock_bh(&x->lock); 2023 if (x->km.state == XFRM_STATE_DEAD) 2024 goto unlock; 2025 2026 err = 0; 2027 if (x->id.spi) 2028 goto unlock; 2029 2030 err = -ENOENT; 2031 2032 if (minspi == maxspi) { 2033 x0 = xfrm_state_lookup(net, mark, &x->id.daddr, minspi, x->id.proto, x->props.family); 2034 if (x0) { 2035 xfrm_state_put(x0); 2036 goto unlock; 2037 } 2038 newspi = minspi; 2039 } else { 2040 u32 spi = 0; 2041 for (h = 0; h < high-low+1; h++) { 2042 spi = low + prandom_u32()%(high-low+1); 2043 x0 = xfrm_state_lookup(net, mark, &x->id.daddr, htonl(spi), x->id.proto, x->props.family); 2044 if (x0 == NULL) { 2045 newspi = htonl(spi); 2046 break; 2047 } 2048 xfrm_state_put(x0); 2049 } 2050 } 2051 if (newspi) { 2052 spin_lock_bh(&net->xfrm.xfrm_state_lock); 2053 x->id.spi = newspi; 2054 h = xfrm_spi_hash(net, &x->id.daddr, x->id.spi, x->id.proto, x->props.family); 2055 hlist_add_head_rcu(&x->byspi, net->xfrm.state_byspi + h); 2056 spin_unlock_bh(&net->xfrm.xfrm_state_lock); 2057 2058 err = 0; 2059 } 2060 2061unlock: 2062 spin_unlock_bh(&x->lock); 2063 2064 return err; 2065} 2066EXPORT_SYMBOL(xfrm_alloc_spi); 2067 2068static bool __xfrm_state_filter_match(struct xfrm_state *x, 2069 struct xfrm_address_filter *filter) 2070{ 2071 if (filter) { 2072 if ((filter->family == AF_INET || 2073 filter->family == AF_INET6) && 2074 x->props.family != filter->family) 2075 return false; 2076 2077 return addr_match(&x->props.saddr, &filter->saddr, 2078 filter->splen) && 2079 addr_match(&x->id.daddr, &filter->daddr, 2080 filter->dplen); 2081 } 2082 return true; 2083} 2084 2085int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk, 2086 int (*func)(struct xfrm_state *, int, void*), 2087 void *data) 2088{ 2089 struct xfrm_state *state; 2090 struct xfrm_state_walk *x; 2091 int err = 0; 2092 2093 if (walk->seq != 0 && list_empty(&walk->all)) 2094 return 0; 2095 2096 spin_lock_bh(&net->xfrm.xfrm_state_lock); 2097 if (list_empty(&walk->all)) 2098 x = list_first_entry(&net->xfrm.state_all, struct xfrm_state_walk, all); 2099 else 2100 x = list_first_entry(&walk->all, struct xfrm_state_walk, all); 2101 list_for_each_entry_from(x, &net->xfrm.state_all, all) { 2102 if (x->state == XFRM_STATE_DEAD) 2103 continue; 2104 state = container_of(x, struct xfrm_state, km); 2105 if (!xfrm_id_proto_match(state->id.proto, walk->proto)) 2106 continue; 2107 if (!__xfrm_state_filter_match(state, walk->filter)) 2108 continue; 2109 err = func(state, walk->seq, data); 2110 if (err) { 2111 list_move_tail(&walk->all, &x->all); 2112 goto out; 2113 } 2114 walk->seq++; 2115 } 2116 if (walk->seq == 0) { 2117 err = -ENOENT; 2118 goto out; 2119 } 2120 list_del_init(&walk->all); 2121out: 2122 spin_unlock_bh(&net->xfrm.xfrm_state_lock); 2123 return err; 2124} 2125EXPORT_SYMBOL(xfrm_state_walk); 2126 2127void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto, 2128 struct xfrm_address_filter *filter) 2129{ 2130 INIT_LIST_HEAD(&walk->all); 2131 walk->proto = proto; 2132 walk->state = XFRM_STATE_DEAD; 2133 walk->seq = 0; 2134 walk->filter = filter; 2135} 2136EXPORT_SYMBOL(xfrm_state_walk_init); 2137 2138void xfrm_state_walk_done(struct xfrm_state_walk *walk, struct net *net) 2139{ 2140 kfree(walk->filter); 2141 2142 if (list_empty(&walk->all)) 2143 return; 2144 2145 spin_lock_bh(&net->xfrm.xfrm_state_lock); 2146 list_del(&walk->all); 2147 spin_unlock_bh(&net->xfrm.xfrm_state_lock); 2148} 2149EXPORT_SYMBOL(xfrm_state_walk_done); 2150 2151static void xfrm_replay_timer_handler(struct timer_list *t) 2152{ 2153 struct xfrm_state *x = from_timer(x, t, rtimer); 2154 2155 spin_lock(&x->lock); 2156 2157 if (x->km.state == XFRM_STATE_VALID) { 2158 if (xfrm_aevent_is_on(xs_net(x))) 2159 x->repl->notify(x, XFRM_REPLAY_TIMEOUT); 2160 else 2161 x->xflags |= XFRM_TIME_DEFER; 2162 } 2163 2164 spin_unlock(&x->lock); 2165} 2166 2167static LIST_HEAD(xfrm_km_list); 2168 2169void km_policy_notify(struct xfrm_policy *xp, int dir, const struct km_event *c) 2170{ 2171 struct xfrm_mgr *km; 2172 2173 rcu_read_lock(); 2174 list_for_each_entry_rcu(km, &xfrm_km_list, list) 2175 if (km->notify_policy) 2176 km->notify_policy(xp, dir, c); 2177 rcu_read_unlock(); 2178} 2179 2180void km_state_notify(struct xfrm_state *x, const struct km_event *c) 2181{ 2182 struct xfrm_mgr *km; 2183 rcu_read_lock(); 2184 list_for_each_entry_rcu(km, &xfrm_km_list, list) 2185 if (km->notify) 2186 km->notify(x, c); 2187 rcu_read_unlock(); 2188} 2189 2190EXPORT_SYMBOL(km_policy_notify); 2191EXPORT_SYMBOL(km_state_notify); 2192 2193void km_state_expired(struct xfrm_state *x, int hard, u32 portid) 2194{ 2195 struct km_event c; 2196 2197 c.data.hard = hard; 2198 c.portid = portid; 2199 c.event = XFRM_MSG_EXPIRE; 2200 km_state_notify(x, &c); 2201} 2202 2203EXPORT_SYMBOL(km_state_expired); 2204/* 2205 * We send to all registered managers regardless of failure 2206 * We are happy with one success 2207*/ 2208int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol) 2209{ 2210 int err = -EINVAL, acqret; 2211 struct xfrm_mgr *km; 2212 2213 rcu_read_lock(); 2214 list_for_each_entry_rcu(km, &xfrm_km_list, list) { 2215 acqret = km->acquire(x, t, pol); 2216 if (!acqret) 2217 err = acqret; 2218 } 2219 rcu_read_unlock(); 2220 return err; 2221} 2222EXPORT_SYMBOL(km_query); 2223 2224static int __km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport) 2225{ 2226 int err = -EINVAL; 2227 struct xfrm_mgr *km; 2228 2229 rcu_read_lock(); 2230 list_for_each_entry_rcu(km, &xfrm_km_list, list) { 2231 if (km->new_mapping) 2232 err = km->new_mapping(x, ipaddr, sport); 2233 if (!err) 2234 break; 2235 } 2236 rcu_read_unlock(); 2237 return err; 2238} 2239 2240int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport) 2241{ 2242 int ret = 0; 2243 2244 if (x->mapping_maxage) { 2245 if ((jiffies / HZ - x->new_mapping) > x->mapping_maxage || 2246 x->new_mapping_sport != sport) { 2247 x->new_mapping_sport = sport; 2248 x->new_mapping = jiffies / HZ; 2249 ret = __km_new_mapping(x, ipaddr, sport); 2250 } 2251 } else { 2252 ret = __km_new_mapping(x, ipaddr, sport); 2253 } 2254 2255 return ret; 2256} 2257EXPORT_SYMBOL(km_new_mapping); 2258 2259void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 portid) 2260{ 2261 struct km_event c; 2262 2263 c.data.hard = hard; 2264 c.portid = portid; 2265 c.event = XFRM_MSG_POLEXPIRE; 2266 km_policy_notify(pol, dir, &c); 2267} 2268EXPORT_SYMBOL(km_policy_expired); 2269 2270#ifdef CONFIG_XFRM_MIGRATE 2271int km_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, 2272 const struct xfrm_migrate *m, int num_migrate, 2273 const struct xfrm_kmaddress *k, 2274 const struct xfrm_encap_tmpl *encap) 2275{ 2276 int err = -EINVAL; 2277 int ret; 2278 struct xfrm_mgr *km; 2279 2280 rcu_read_lock(); 2281 list_for_each_entry_rcu(km, &xfrm_km_list, list) { 2282 if (km->migrate) { 2283 ret = km->migrate(sel, dir, type, m, num_migrate, k, 2284 encap); 2285 if (!ret) 2286 err = ret; 2287 } 2288 } 2289 rcu_read_unlock(); 2290 return err; 2291} 2292EXPORT_SYMBOL(km_migrate); 2293#endif 2294 2295int km_report(struct net *net, u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr) 2296{ 2297 int err = -EINVAL; 2298 int ret; 2299 struct xfrm_mgr *km; 2300 2301 rcu_read_lock(); 2302 list_for_each_entry_rcu(km, &xfrm_km_list, list) { 2303 if (km->report) { 2304 ret = km->report(net, proto, sel, addr); 2305 if (!ret) 2306 err = ret; 2307 } 2308 } 2309 rcu_read_unlock(); 2310 return err; 2311} 2312EXPORT_SYMBOL(km_report); 2313 2314static bool km_is_alive(const struct km_event *c) 2315{ 2316 struct xfrm_mgr *km; 2317 bool is_alive = false; 2318 2319 rcu_read_lock(); 2320 list_for_each_entry_rcu(km, &xfrm_km_list, list) { 2321 if (km->is_alive && km->is_alive(c)) { 2322 is_alive = true; 2323 break; 2324 } 2325 } 2326 rcu_read_unlock(); 2327 2328 return is_alive; 2329} 2330 2331#if IS_ENABLED(CONFIG_XFRM_USER_COMPAT) 2332static DEFINE_SPINLOCK(xfrm_translator_lock); 2333static struct xfrm_translator __rcu *xfrm_translator; 2334 2335struct xfrm_translator *xfrm_get_translator(void) 2336{ 2337 struct xfrm_translator *xtr; 2338 2339 rcu_read_lock(); 2340 xtr = rcu_dereference(xfrm_translator); 2341 if (unlikely(!xtr)) 2342 goto out; 2343 if (!try_module_get(xtr->owner)) 2344 xtr = NULL; 2345out: 2346 rcu_read_unlock(); 2347 return xtr; 2348} 2349EXPORT_SYMBOL_GPL(xfrm_get_translator); 2350 2351void xfrm_put_translator(struct xfrm_translator *xtr) 2352{ 2353 module_put(xtr->owner); 2354} 2355EXPORT_SYMBOL_GPL(xfrm_put_translator); 2356 2357int xfrm_register_translator(struct xfrm_translator *xtr) 2358{ 2359 int err = 0; 2360 2361 spin_lock_bh(&xfrm_translator_lock); 2362 if (unlikely(xfrm_translator != NULL)) 2363 err = -EEXIST; 2364 else 2365 rcu_assign_pointer(xfrm_translator, xtr); 2366 spin_unlock_bh(&xfrm_translator_lock); 2367 2368 return err; 2369} 2370EXPORT_SYMBOL_GPL(xfrm_register_translator); 2371 2372int xfrm_unregister_translator(struct xfrm_translator *xtr) 2373{ 2374 int err = 0; 2375 2376 spin_lock_bh(&xfrm_translator_lock); 2377 if (likely(xfrm_translator != NULL)) { 2378 if (rcu_access_pointer(xfrm_translator) != xtr) 2379 err = -EINVAL; 2380 else 2381 RCU_INIT_POINTER(xfrm_translator, NULL); 2382 } 2383 spin_unlock_bh(&xfrm_translator_lock); 2384 synchronize_rcu(); 2385 2386 return err; 2387} 2388EXPORT_SYMBOL_GPL(xfrm_unregister_translator); 2389#endif 2390 2391int xfrm_user_policy(struct sock *sk, int optname, sockptr_t optval, int optlen) 2392{ 2393 int err; 2394 u8 *data; 2395 struct xfrm_mgr *km; 2396 struct xfrm_policy *pol = NULL; 2397 2398 if (sockptr_is_null(optval) && !optlen) { 2399 xfrm_sk_policy_insert(sk, XFRM_POLICY_IN, NULL); 2400 xfrm_sk_policy_insert(sk, XFRM_POLICY_OUT, NULL); 2401 __sk_dst_reset(sk); 2402 return 0; 2403 } 2404 2405 if (optlen <= 0 || optlen > PAGE_SIZE) 2406 return -EMSGSIZE; 2407 2408 data = memdup_sockptr(optval, optlen); 2409 if (IS_ERR(data)) 2410 return PTR_ERR(data); 2411 2412 if (in_compat_syscall()) { 2413 struct xfrm_translator *xtr = xfrm_get_translator(); 2414 2415 if (!xtr) { 2416 kfree(data); 2417 return -EOPNOTSUPP; 2418 } 2419 2420 err = xtr->xlate_user_policy_sockptr(&data, optlen); 2421 xfrm_put_translator(xtr); 2422 if (err) { 2423 kfree(data); 2424 return err; 2425 } 2426 } 2427 2428 err = -EINVAL; 2429 rcu_read_lock(); 2430 list_for_each_entry_rcu(km, &xfrm_km_list, list) { 2431 pol = km->compile_policy(sk, optname, data, 2432 optlen, &err); 2433 if (err >= 0) 2434 break; 2435 } 2436 rcu_read_unlock(); 2437 2438 if (err >= 0) { 2439 xfrm_sk_policy_insert(sk, err, pol); 2440 xfrm_pol_put(pol); 2441 __sk_dst_reset(sk); 2442 err = 0; 2443 } 2444 2445 kfree(data); 2446 return err; 2447} 2448EXPORT_SYMBOL(xfrm_user_policy); 2449 2450static DEFINE_SPINLOCK(xfrm_km_lock); 2451 2452int xfrm_register_km(struct xfrm_mgr *km) 2453{ 2454 spin_lock_bh(&xfrm_km_lock); 2455 list_add_tail_rcu(&km->list, &xfrm_km_list); 2456 spin_unlock_bh(&xfrm_km_lock); 2457 return 0; 2458} 2459EXPORT_SYMBOL(xfrm_register_km); 2460 2461int xfrm_unregister_km(struct xfrm_mgr *km) 2462{ 2463 spin_lock_bh(&xfrm_km_lock); 2464 list_del_rcu(&km->list); 2465 spin_unlock_bh(&xfrm_km_lock); 2466 synchronize_rcu(); 2467 return 0; 2468} 2469EXPORT_SYMBOL(xfrm_unregister_km); 2470 2471int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo) 2472{ 2473 int err = 0; 2474 2475 if (WARN_ON(afinfo->family >= NPROTO)) 2476 return -EAFNOSUPPORT; 2477 2478 spin_lock_bh(&xfrm_state_afinfo_lock); 2479 if (unlikely(xfrm_state_afinfo[afinfo->family] != NULL)) 2480 err = -EEXIST; 2481 else 2482 rcu_assign_pointer(xfrm_state_afinfo[afinfo->family], afinfo); 2483 spin_unlock_bh(&xfrm_state_afinfo_lock); 2484 return err; 2485} 2486EXPORT_SYMBOL(xfrm_state_register_afinfo); 2487 2488int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo) 2489{ 2490 int err = 0, family = afinfo->family; 2491 2492 if (WARN_ON(family >= NPROTO)) 2493 return -EAFNOSUPPORT; 2494 2495 spin_lock_bh(&xfrm_state_afinfo_lock); 2496 if (likely(xfrm_state_afinfo[afinfo->family] != NULL)) { 2497 if (rcu_access_pointer(xfrm_state_afinfo[family]) != afinfo) 2498 err = -EINVAL; 2499 else 2500 RCU_INIT_POINTER(xfrm_state_afinfo[afinfo->family], NULL); 2501 } 2502 spin_unlock_bh(&xfrm_state_afinfo_lock); 2503 synchronize_rcu(); 2504 return err; 2505} 2506EXPORT_SYMBOL(xfrm_state_unregister_afinfo); 2507 2508struct xfrm_state_afinfo *xfrm_state_afinfo_get_rcu(unsigned int family) 2509{ 2510 if (unlikely(family >= NPROTO)) 2511 return NULL; 2512 2513 return rcu_dereference(xfrm_state_afinfo[family]); 2514} 2515EXPORT_SYMBOL_GPL(xfrm_state_afinfo_get_rcu); 2516 2517struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family) 2518{ 2519 struct xfrm_state_afinfo *afinfo; 2520 if (unlikely(family >= NPROTO)) 2521 return NULL; 2522 rcu_read_lock(); 2523 afinfo = rcu_dereference(xfrm_state_afinfo[family]); 2524 if (unlikely(!afinfo)) 2525 rcu_read_unlock(); 2526 return afinfo; 2527} 2528 2529void xfrm_flush_gc(void) 2530{ 2531 flush_work(&xfrm_state_gc_work); 2532} 2533EXPORT_SYMBOL(xfrm_flush_gc); 2534 2535/* Temporarily located here until net/xfrm/xfrm_tunnel.c is created */ 2536void xfrm_state_delete_tunnel(struct xfrm_state *x) 2537{ 2538 if (x->tunnel) { 2539 struct xfrm_state *t = x->tunnel; 2540 2541 if (atomic_read(&t->tunnel_users) == 2) 2542 xfrm_state_delete(t); 2543 atomic_dec(&t->tunnel_users); 2544 xfrm_state_put_sync(t); 2545 x->tunnel = NULL; 2546 } 2547} 2548EXPORT_SYMBOL(xfrm_state_delete_tunnel); 2549 2550u32 xfrm_state_mtu(struct xfrm_state *x, int mtu) 2551{ 2552 const struct xfrm_type *type = READ_ONCE(x->type); 2553 struct crypto_aead *aead; 2554 u32 blksize, net_adj = 0; 2555 2556 if (x->km.state != XFRM_STATE_VALID || 2557 !type || type->proto != IPPROTO_ESP) 2558 return mtu - x->props.header_len; 2559 2560 aead = x->data; 2561 blksize = ALIGN(crypto_aead_blocksize(aead), 4); 2562 2563 switch (x->props.mode) { 2564 case XFRM_MODE_TRANSPORT: 2565 case XFRM_MODE_BEET: 2566 if (x->props.family == AF_INET) 2567 net_adj = sizeof(struct iphdr); 2568 else if (x->props.family == AF_INET6) 2569 net_adj = sizeof(struct ipv6hdr); 2570 break; 2571 case XFRM_MODE_TUNNEL: 2572 break; 2573 default: 2574 WARN_ON_ONCE(1); 2575 break; 2576 } 2577 2578 return ((mtu - x->props.header_len - crypto_aead_authsize(aead) - 2579 net_adj) & ~(blksize - 1)) + net_adj - 2; 2580} 2581EXPORT_SYMBOL_GPL(xfrm_state_mtu); 2582 2583int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload) 2584{ 2585 const struct xfrm_mode *inner_mode; 2586 const struct xfrm_mode *outer_mode; 2587 int family = x->props.family; 2588 int err; 2589 2590 if (family == AF_INET && 2591 READ_ONCE(xs_net(x)->ipv4.sysctl_ip_no_pmtu_disc)) 2592 x->props.flags |= XFRM_STATE_NOPMTUDISC; 2593 2594 err = -EPROTONOSUPPORT; 2595 2596 if (x->sel.family != AF_UNSPEC) { 2597 inner_mode = xfrm_get_mode(x->props.mode, x->sel.family); 2598 if (inner_mode == NULL) 2599 goto error; 2600 2601 if (!(inner_mode->flags & XFRM_MODE_FLAG_TUNNEL) && 2602 family != x->sel.family) 2603 goto error; 2604 2605 x->inner_mode = *inner_mode; 2606 } else { 2607 const struct xfrm_mode *inner_mode_iaf; 2608 int iafamily = AF_INET; 2609 2610 inner_mode = xfrm_get_mode(x->props.mode, x->props.family); 2611 if (inner_mode == NULL) 2612 goto error; 2613 2614 x->inner_mode = *inner_mode; 2615 2616 if (x->props.family == AF_INET) 2617 iafamily = AF_INET6; 2618 2619 inner_mode_iaf = xfrm_get_mode(x->props.mode, iafamily); 2620 if (inner_mode_iaf) { 2621 if (inner_mode_iaf->flags & XFRM_MODE_FLAG_TUNNEL) 2622 x->inner_mode_iaf = *inner_mode_iaf; 2623 } 2624 } 2625 2626 x->type = xfrm_get_type(x->id.proto, family); 2627 if (x->type == NULL) 2628 goto error; 2629 2630 x->type_offload = xfrm_get_type_offload(x->id.proto, family, offload); 2631 2632 err = x->type->init_state(x); 2633 if (err) 2634 goto error; 2635 2636 outer_mode = xfrm_get_mode(x->props.mode, family); 2637 if (!outer_mode) { 2638 err = -EPROTONOSUPPORT; 2639 goto error; 2640 } 2641 2642 x->outer_mode = *outer_mode; 2643 if (init_replay) { 2644 err = xfrm_init_replay(x); 2645 if (err) 2646 goto error; 2647 } 2648 2649error: 2650 return err; 2651} 2652 2653EXPORT_SYMBOL(__xfrm_init_state); 2654 2655int xfrm_init_state(struct xfrm_state *x) 2656{ 2657 int err; 2658 2659 err = __xfrm_init_state(x, true, false); 2660 if (!err) 2661 x->km.state = XFRM_STATE_VALID; 2662 2663 return err; 2664} 2665 2666EXPORT_SYMBOL(xfrm_init_state); 2667 2668int __net_init xfrm_state_init(struct net *net) 2669{ 2670 unsigned int sz; 2671 2672 if (net_eq(net, &init_net)) 2673 xfrm_state_cache = KMEM_CACHE(xfrm_state, 2674 SLAB_HWCACHE_ALIGN | SLAB_PANIC); 2675 2676 INIT_LIST_HEAD(&net->xfrm.state_all); 2677 2678 sz = sizeof(struct hlist_head) * 8; 2679 2680 net->xfrm.state_bydst = xfrm_hash_alloc(sz); 2681 if (!net->xfrm.state_bydst) 2682 goto out_bydst; 2683 net->xfrm.state_bysrc = xfrm_hash_alloc(sz); 2684 if (!net->xfrm.state_bysrc) 2685 goto out_bysrc; 2686 net->xfrm.state_byspi = xfrm_hash_alloc(sz); 2687 if (!net->xfrm.state_byspi) 2688 goto out_byspi; 2689 net->xfrm.state_hmask = ((sz / sizeof(struct hlist_head)) - 1); 2690 2691 net->xfrm.state_num = 0; 2692 INIT_WORK(&net->xfrm.state_hash_work, xfrm_hash_resize); 2693 spin_lock_init(&net->xfrm.xfrm_state_lock); 2694 seqcount_init(&net->xfrm.xfrm_state_hash_generation); 2695 return 0; 2696 2697out_byspi: 2698 xfrm_hash_free(net->xfrm.state_bysrc, sz); 2699out_bysrc: 2700 xfrm_hash_free(net->xfrm.state_bydst, sz); 2701out_bydst: 2702 return -ENOMEM; 2703} 2704 2705void xfrm_state_fini(struct net *net) 2706{ 2707 unsigned int sz; 2708 2709 flush_work(&net->xfrm.state_hash_work); 2710 flush_work(&xfrm_state_gc_work); 2711 xfrm_state_flush(net, 0, false, true); 2712 2713 WARN_ON(!list_empty(&net->xfrm.state_all)); 2714 2715 sz = (net->xfrm.state_hmask + 1) * sizeof(struct hlist_head); 2716 WARN_ON(!hlist_empty(net->xfrm.state_byspi)); 2717 xfrm_hash_free(net->xfrm.state_byspi, sz); 2718 WARN_ON(!hlist_empty(net->xfrm.state_bysrc)); 2719 xfrm_hash_free(net->xfrm.state_bysrc, sz); 2720 WARN_ON(!hlist_empty(net->xfrm.state_bydst)); 2721 xfrm_hash_free(net->xfrm.state_bydst, sz); 2722} 2723 2724#ifdef CONFIG_AUDITSYSCALL 2725static void xfrm_audit_helper_sainfo(struct xfrm_state *x, 2726 struct audit_buffer *audit_buf) 2727{ 2728 struct xfrm_sec_ctx *ctx = x->security; 2729 u32 spi = ntohl(x->id.spi); 2730 2731 if (ctx) 2732 audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s", 2733 ctx->ctx_alg, ctx->ctx_doi, ctx->ctx_str); 2734 2735 switch (x->props.family) { 2736 case AF_INET: 2737 audit_log_format(audit_buf, " src=%pI4 dst=%pI4", 2738 &x->props.saddr.a4, &x->id.daddr.a4); 2739 break; 2740 case AF_INET6: 2741 audit_log_format(audit_buf, " src=%pI6 dst=%pI6", 2742 x->props.saddr.a6, x->id.daddr.a6); 2743 break; 2744 } 2745 2746 audit_log_format(audit_buf, " spi=%u(0x%x)", spi, spi); 2747} 2748 2749static void xfrm_audit_helper_pktinfo(struct sk_buff *skb, u16 family, 2750 struct audit_buffer *audit_buf) 2751{ 2752 const struct iphdr *iph4; 2753 const struct ipv6hdr *iph6; 2754 2755 switch (family) { 2756 case AF_INET: 2757 iph4 = ip_hdr(skb); 2758 audit_log_format(audit_buf, " src=%pI4 dst=%pI4", 2759 &iph4->saddr, &iph4->daddr); 2760 break; 2761 case AF_INET6: 2762 iph6 = ipv6_hdr(skb); 2763 audit_log_format(audit_buf, 2764 " src=%pI6 dst=%pI6 flowlbl=0x%x%02x%02x", 2765 &iph6->saddr, &iph6->daddr, 2766 iph6->flow_lbl[0] & 0x0f, 2767 iph6->flow_lbl[1], 2768 iph6->flow_lbl[2]); 2769 break; 2770 } 2771} 2772 2773void xfrm_audit_state_add(struct xfrm_state *x, int result, bool task_valid) 2774{ 2775 struct audit_buffer *audit_buf; 2776 2777 audit_buf = xfrm_audit_start("SAD-add"); 2778 if (audit_buf == NULL) 2779 return; 2780 xfrm_audit_helper_usrinfo(task_valid, audit_buf); 2781 xfrm_audit_helper_sainfo(x, audit_buf); 2782 audit_log_format(audit_buf, " res=%u", result); 2783 audit_log_end(audit_buf); 2784} 2785EXPORT_SYMBOL_GPL(xfrm_audit_state_add); 2786 2787void xfrm_audit_state_delete(struct xfrm_state *x, int result, bool task_valid) 2788{ 2789 struct audit_buffer *audit_buf; 2790 2791 audit_buf = xfrm_audit_start("SAD-delete"); 2792 if (audit_buf == NULL) 2793 return; 2794 xfrm_audit_helper_usrinfo(task_valid, audit_buf); 2795 xfrm_audit_helper_sainfo(x, audit_buf); 2796 audit_log_format(audit_buf, " res=%u", result); 2797 audit_log_end(audit_buf); 2798} 2799EXPORT_SYMBOL_GPL(xfrm_audit_state_delete); 2800 2801void xfrm_audit_state_replay_overflow(struct xfrm_state *x, 2802 struct sk_buff *skb) 2803{ 2804 struct audit_buffer *audit_buf; 2805 u32 spi; 2806 2807 audit_buf = xfrm_audit_start("SA-replay-overflow"); 2808 if (audit_buf == NULL) 2809 return; 2810 xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf); 2811 /* don't record the sequence number because it's inherent in this kind 2812 * of audit message */ 2813 spi = ntohl(x->id.spi); 2814 audit_log_format(audit_buf, " spi=%u(0x%x)", spi, spi); 2815 audit_log_end(audit_buf); 2816} 2817EXPORT_SYMBOL_GPL(xfrm_audit_state_replay_overflow); 2818 2819void xfrm_audit_state_replay(struct xfrm_state *x, 2820 struct sk_buff *skb, __be32 net_seq) 2821{ 2822 struct audit_buffer *audit_buf; 2823 u32 spi; 2824 2825 audit_buf = xfrm_audit_start("SA-replayed-pkt"); 2826 if (audit_buf == NULL) 2827 return; 2828 xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf); 2829 spi = ntohl(x->id.spi); 2830 audit_log_format(audit_buf, " spi=%u(0x%x) seqno=%u", 2831 spi, spi, ntohl(net_seq)); 2832 audit_log_end(audit_buf); 2833} 2834EXPORT_SYMBOL_GPL(xfrm_audit_state_replay); 2835 2836void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family) 2837{ 2838 struct audit_buffer *audit_buf; 2839 2840 audit_buf = xfrm_audit_start("SA-notfound"); 2841 if (audit_buf == NULL) 2842 return; 2843 xfrm_audit_helper_pktinfo(skb, family, audit_buf); 2844 audit_log_end(audit_buf); 2845} 2846EXPORT_SYMBOL_GPL(xfrm_audit_state_notfound_simple); 2847 2848void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family, 2849 __be32 net_spi, __be32 net_seq) 2850{ 2851 struct audit_buffer *audit_buf; 2852 u32 spi; 2853 2854 audit_buf = xfrm_audit_start("SA-notfound"); 2855 if (audit_buf == NULL) 2856 return; 2857 xfrm_audit_helper_pktinfo(skb, family, audit_buf); 2858 spi = ntohl(net_spi); 2859 audit_log_format(audit_buf, " spi=%u(0x%x) seqno=%u", 2860 spi, spi, ntohl(net_seq)); 2861 audit_log_end(audit_buf); 2862} 2863EXPORT_SYMBOL_GPL(xfrm_audit_state_notfound); 2864 2865void xfrm_audit_state_icvfail(struct xfrm_state *x, 2866 struct sk_buff *skb, u8 proto) 2867{ 2868 struct audit_buffer *audit_buf; 2869 __be32 net_spi; 2870 __be32 net_seq; 2871 2872 audit_buf = xfrm_audit_start("SA-icv-failure"); 2873 if (audit_buf == NULL) 2874 return; 2875 xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf); 2876 if (xfrm_parse_spi(skb, proto, &net_spi, &net_seq) == 0) { 2877 u32 spi = ntohl(net_spi); 2878 audit_log_format(audit_buf, " spi=%u(0x%x) seqno=%u", 2879 spi, spi, ntohl(net_seq)); 2880 } 2881 audit_log_end(audit_buf); 2882} 2883EXPORT_SYMBOL_GPL(xfrm_audit_state_icvfail); 2884#endif /* CONFIG_AUDITSYSCALL */ 2885